Recommended XSS protection htmlDecode() isn't actually safe #117
Description
Even though the DIV never gets attached to the DOM, some browsers will still load images and fire events. See this comment on Stackoverflow
Using a textarea instead of e a DIV is safer, see here.