Outdated jQuery Insecure

This page uses jQuery 1.12.4 and shows a risky pattern: rendering untrusted input with .html(), which executes embedded scripts/handlers.

jQuery version:

Risky Pattern — Direct .html()

Don’t do this

Why it’s bad: If this content comes from users/URLs, it can inject scripts or event handlers (e.g., onerror) that run in the page context.

  1. Paste payload like <img src=x onerror="alert('XSS via .html()')"> below.
  2. Click Render UNSAFELY and observe behavior.
  3. Compare with the secure demo that uses .text()/sanitization.