Thread:ShinyAfro/@comment-188432-20180823182945

Hey hey :)

Thanks for your hard work on Index.js! We're always excited to look at innovations over at Dev Wiki!

A couple of us were kicking it around the office today, however. and we've decided to reject it for now.

Thing is, it's fairly obscurely written, preventing us from assessing its full security implications in a reasonable time. Because obscurity of code is a reason, in itself, for rejection under the JS Review guidelines, do please consider reframing Index.js with more clearly-named variables, annotations, and fewer remarked-out lines.

Also, there do appear to be some genuine security concerns on the face of it. We kinda think that if a category has a name of, say, [EDITED, per below], the script will be vulnerable. Additionally, in the expression, it seems entirely possible that val could be HTML — a risky situation since that whole thing is directly inserted into the   function.

As you're rewriting, it'll be important for you to make sure this value is always escaped. A good option, but not the only one, is of course.

Thanks again for your submission! We genuinely look forward to seeing your next attempt!  