Forgot to add the "long-term" part of that comment... long term we need to move away form reading these values out of the DOM entirely. JSON should stay JSON and should be loaded as such via AJAX or websockets. Then a proper client-side templating library can be used to construct these elements and sanitizing can be done in a standardized fashion.
Forgot to add the "long-term" part of that comment... long term we need to move away form reading these values out of the DOM entirely. JSON should stay JSON and should be loaded as such via AJAX or websockets. Then a proper client-side templating library can be used to construct these elements and sanitizing can be done in a standardized fashion.