Thread:Manuel de la Fuente/@comment-188432-20180123175123/@comment-188432-20180131013510

So I wanna take a moment with this latest revision to thank you for putting even more HTML escape safeguards in this code, and for shrinking it down in size. Really fantastic work.

But i did just want to pause for a moment and consider whether the following block of code shouldn't have some more explicit escapes in it: /**  * Sets checkboxes */ function checkboxes (content, isMod, canBlock) { // Gets header var header = document.getElementsByClassName('page-header__main')[0]; // Creates wrapper var chbxsFrag = document.createRange.createContextualFragment(' '); var div = chbxsFrag.firstChild; var i = 0; // Function to create each checkbox function makeChbx (name, id, cookie) { var frag = document.createRange.createContextualFragment(       ' ' +          '' + name + ' ' +          '' +          '' +        ' '      ); I'm looking especially at the bit that creates the check box and wondering if there might be any attack vector in the unescaped  and.

Lemme know what you think :)