Is Javascript/jQuery DOM creation safe until it's added to the document?

Question

Please read this statement carefully: let\'s assume before ANY elements are added to the document all unsafe elements in $dom have

Answer 1

Excellent question. It appears it is possible to inject script and place event handlers inside it. I've tested using the following HTML:

      
        
        
    

                
        Click this first

        Then this
    

You can see that the second button has no effect until the first button has been clicked and the script tag added to the DOM.

This could possibly be open to abuse if user form input is taken and dynamically inserted into the page. In which case data sanitisation should definately be used.

This is something I'd never thought of - thanks for raising it.