E.g. the JQuery template
means create a link whose target is the result of
urland whose body contains the result of
text. JQuery does a lot better than most templating languages;
messageis assumed to be plain text and automatically encoded so that the page can't be XSSed that way. But it does nothing about
url. If an attacker can make
I've been cooking up a way to fix templating languages like JQuery. You can play around with Secure JQuery templates in the playground, or read up on the design which also includes an analysis of the performance of this system as applied to another templating language.