Replying to [comment:3 dmethvin]:
For the example you've reference in the Mobile docs, it seems perfectly safe since the input is trusted (it's in the code). I understand your point but there are several other solutions including DOM element creation and good templating systems that escape the HTML.
Yes, but in general, people follow the path of least resistance. If the jQuery examples don't escape because the input is trusted, things will appear to work for someone who takes the example and uses it on untrusted data. Except their code will be exploitable, or at least unreliable.
Note that the *whole point* of
.html() is to insert HTML (including scripts that execute) into the document, so we can't change that behavior.
Right. I'm not suggesting removing or changing .html()/.append() or the variety of functions that accept HTML currently in jQuery. This bug is more about:
1) There should be an official in-jQuery API to escape HTML (both body text and attributes)
2) That function should be used in the examples, even if not strictly necessary
There is some related discussion on #9521.
Yeah, related, but this bug is about how jQuery *encourages* using .html() but doesn't supply an escaping function.