In https://gerrit.wikimedia.org/r/#/c/268185/16/resources/mobile.startup/Skin.js @Krinkle mentioned:
Related to $image = $( $noscript.text() ),
This is wrong. The html is not html-escaped from the server (and shouldn't since otherwise it won't work as html for noscript clients). Which means this should be read as html, not text. Otherwise this allows freeform text to become arbitrary html. Aside from a security issue, it will also break some urls containing special characters by wrongly unescaping them.
@Jhernandez response:
Are you suggesting that using $().text will bring problems?
Using .html() to read the contents of the <noscript/> tag returns the html string escaped: "<img alt="Alicante en medi..." which won't build the DOM nodes in $.parseHTML, just give back a text node (which I would have to get the textContent of too.
It would look something like this:$image = $( $.parseHTML( $.parseHTML( $noscript.html() )[0].textContent ) ),Which looks like a nightmare and would have to be bounds checked.
What are the problems of getting the noscript contents with .text()? Should we use .html()?