returning JSONP is the the cool hipster way to go (well, not hipster cool anymore, but the hipsters were doing it before it went mainstream), but I'm not convinced it is inherently a problem to return HTML for use in "AJAX" type development in a non--ironic-retro way.
On Dec 7, 2011, at 2:19 PM, Robert Sanderson wrote:
> * Lax Security -- It's easier to get into trouble when you're simply
> inlining HTML received, compared to building the elements. Getting
> into the same bad habits as SQL injection. It might not be a big deal
> now, but it will be later on.
I've been scratching my head about this one. Can someone elaborate on this?
|