Document escaping HTML, script injection. Fixes jquery#23

Author: kswedberg

entries/after.xml

@@ -100,6 +100,7 @@ $( "p" ).first().after( $newdiv1, [ newdiv2, existingdiv1 ] );
     </code></pre>
     <p>Since <code>.after()</code> can accept any number of additional arguments, the same result can be achieved by passing in the three <code>&lt;div&gt;</code>s as three separate arguments, like so: <code>$( "p" ).first().after( $newdiv1, newdiv2, existingdiv1 )</code>. The type and number of arguments will largely depend on the elements that are collected in the code.</p>
   </longdesc>
+  <note id="html-code-execution" type="additional"/>
   <example>
     <desc>Inserts some HTML after all paragraphs.</desc>
     <code><![CDATA[

entries/append.xml

@@ -79,6 +79,7 @@ $( "body" ).append( $newdiv1, [ newdiv2, existingdiv1 ] );
     </code></pre>
     <p>Since <code>.append()</code> can accept any number of additional arguments, the same result can be achieved by passing in the three <code>&lt;div&gt;</code>s as three separate arguments, like so: <code>$('body').append( $newdiv1, newdiv2, existingdiv1 )</code>. The type and number of arguments will largely depend on how you collect the elements in your code.</p>
   </longdesc>
+  <note id="html-code-execution" type="additional"/>
   <example>
     <desc>Appends some HTML to all paragraphs.</desc>
     <code><![CDATA[

entries/appendTo.xml

@@ -56,6 +56,7 @@ $( "h2" ).appendTo( $( ".container" ) );
     <p>If there is more than one target element, however, cloned copies of the inserted element will be created for each target after the first, and that new set (the original element plus clones) is returned.</p>
 	<p><strong>Before jQuery 1.9,</strong> the append-to-single-element case did not create a new set, but instead returned the original set which made it difficult to use the <code>.end()</code> method reliably when being used with an unknown number of elements.</p>
   </longdesc>
+  <note id="html-code-execution" type="additional"/>
   <example>
     <desc>Append all spans to the element with the ID "foo" (Check append() documentation for more examples)</desc>
     <code><![CDATA[

entries/before.xml

@@ -80,6 +80,7 @@ $( "p" ).first().before( newdiv1, [ newdiv2, existingdiv1 ] );
     </code></pre>
     <p>Since <code>.before()</code> can accept any number of additional arguments, the same result can be achieved by passing in the three <code>&lt;div&gt;</code>s as three separate arguments, like so: <code>$( "p" ).first().before( $newdiv1, newdiv2, existingdiv1 )</code>. The type and number of arguments will largely depend on how you collect the elements in your code.</p>
   </longdesc>
+  <note id="html-code-execution" type="additional"/>
   <example>
     <desc>Inserts some HTML before all paragraphs.</desc>
     <code><![CDATA[

entries/html.xml

@@ -25,6 +25,7 @@ $( "div.demo-container" ).html();
       </code></pre>
       <p>This method uses the browser's <code>innerHTML</code> property. Some browsers may not return HTML that exactly replicates the HTML source in an original document. For example, Internet Explorer sometimes leaves off the quotes around attribute values if they contain only alphanumeric characters.</p>
     </longdesc>
+    <note id="html-code-execution" type="additional"/>
     <example>
       <desc>Click a paragraph to convert it from html to text.</desc>
       <code><![CDATA[

entries/insertAfter.xml

@@ -52,6 +52,7 @@ $( "h2" ).insertAfter( $( ".container" ) );
     <p>If there is more than one target element, however, cloned copies of the inserted element will be created for each target after the first, and that new set (the original element plus clones) is returned.</p>
     <p><strong>Before jQuery 1.9,</strong> the append-to-single-element case did not create a new set, but instead returned the original set which made it difficult to use the <code>.end()</code> method reliably when being used with an unknown number of elements.</p>
   </longdesc>
+  <note id="html-code-execution" type="additional"/>
   <example>
     <desc>Insert all paragraphs after an element with id of "foo". Same as $( "#foo" ).after( "p" )</desc>
     <code><![CDATA[

entries/insertBefore.xml

@@ -52,6 +52,7 @@ $( "h2" ).insertBefore( $( ".container" ) );
     <p>If there is more than one target element, however, cloned copies of the inserted element will be created for each target after the first, and that new set (the original element plus clones) is returned.</p>
     <p><strong>Before jQuery 1.9,</strong> the append-to-single-element case did not create a new set, but instead returned the original set which made it difficult to use the <code>.end()</code> method reliably when being used with an unknown number of elements.</p>
   </longdesc>
+  <note id="html-code-execution" type="additional"/>
   <example>
     <desc>Insert all paragraphs before an element with id of "foo". Same as $( "#foo" ).before( "p" )</desc>
     <code><![CDATA[

entries/prepend.xml

@@ -79,6 +79,7 @@ $( "body" ).prepend( $newdiv1, [ newdiv2, existingdiv1 ] );
     </code></pre>
     <p>Since <code>.prepend()</code> can accept any number of additional arguments, the same result can be achieved by passing in the three <code>&lt;div&gt;</code>s as three separate arguments, like so: <code>$( "body" ).prepend( $newdiv1, newdiv2, existingdiv1 )</code>. The type and number of arguments will largely depend on how you collect the elements in your code.</p>
   </longdesc>
+  <note id="html-code-execution" type="additional"/>
   <example>
     <desc>Prepends some HTML to all paragraphs.</desc>
     <code><![CDATA[

entries/prependTo.xml

@@ -55,6 +55,7 @@ $( "h2" ).prependTo( $( ".container" ) );
     </code></pre>
     <p>If there is more than one target element, however, cloned copies of the inserted element will be created for each target after the first.</p>
   </longdesc>
+  <note id="html-code-execution" type="additional"/>
   <example>
     <desc>Prepend all spans to the element with the ID "foo" (Check .prepend() documentation for more examples)</desc>
     <css><![CDATA[

notes.xsl

@@ -40,6 +40,9 @@
 		<xsl:when test="@id = 'slide-in-ie'">
 			If <code><xsl:value-of select="@data-title"/></code> is called on an unordered list (<code>&lt;ul&gt;</code>) and its <code>&lt;li&gt;</code> elements have position (relative, absolute, or fixed), the effect may not work properly in IE6 through at least IE9 unless the <code>&lt;ul&gt;</code> has "layout." To remedy the problem, add the <code>position: relative;</code> and <code>zoom: 1;</code> CSS declarations to the <code>ul</code>.
 		</xsl:when>
+		<xsl:when test="@id = 'html-code-execution'">
+			By design, any jQuery constructor or method that accepts an HTML string — <a href="/jQuery/">jQuery()</a>, <a href="/append/">.append()</a>, <a href="/after/">.after()</a>, etc. — can potentially execute code. This can occur by injection of script tags or use of HTML attributes that execute code (for example, <code>&lt;img onload=""&gt;</code>). Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. Remove or escape any user input before adding content to the document.
+		</xsl:when>
 	</xsl:choose>
 </xsl:template>
 </xsl:stylesheet>