<p>I noticed that nobody reviewed the script, and so you've published it. But there a couple of possible security exploits: </p>

• You set the data without sanitizing it:

  var imgLink = $that.find('.MedalListLinkImage').val();
            var titleNew = $that.find('.MedalListTitle').val();
            var nameNew = $that.find('.MedalListName').val();
            var prevName = $that.find('.MedalListName').attr('data-prev');
 
            $that.find('.MedalImagePreview img')
                .attr('src', imgLink)
                .attr('title', titleNew)
                .attr('data-prev', nameNew);
 

<p>Read through these to get acquainted with mediawiki best practices: </p>

• https://www.mediawiki.org/wiki/Security_for_developers/Tutorial
• https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

<p>Given these attack vectors I highly doubt Wikia will allow this code to run in any wikia. </p>

<p>You can't set something like 'onclick', 'onload', 'onsomething' via .attr(). That's why I've used this instead of </p>

$('<div class="MedalImagePreview" />').append('<img src="' + imgLink + '" />');

<p>Moreover, getting data via .val() will give me a string that can't do anything bad. BUT .attr() can be dangerous if we're using it for 'href'. So I've solve this problem via </p>

mw.config.get('wgServer') + '/wiki/' + MedalSettings.module_info

<div class="quote"><i>Kopcap94 wrote:
You can't set something like 'onclick', 'onload', 'onsomething' via .attr(). That's why I've used this instead of

$('<div class="MedalImagePreview" />').append('<img src="' + imgLink + '" />');

<p>Moreover, getting data via .val() will give me a string that can't do anything bad. BUT .attr() can be dangerous if we're using it for 'href'. So I've solve this problem via </p>

mw.config.get('wgServer') + '/wiki/' + MedalSettings.module_info

</i></div>
<p>See : </p>

• http://security.stackexchange.com/questions/52447/is-jquery-val-enough-to-prevent-xss .

•  https://coderwall.com/p/h5lqla/safe-vs-unsafe-jquery-methods

<p>Well, that's true for the input but not the output. Basically you validate the input and escape the output. From a brief look at your script it seems that the attr() and prop() are being used to espace. But they are all over the place, it might make more sense to use a function for that purpose especially considering that you're extracting text from an external source, and one small overlooked mistake may allow an exploit.  </p><p>You might consider using this library for those purposes. </p>

<p>I know about mw.html.escape function, but I've got some problems with it. About to create specific function to control all 'escapes' - good idea but here can be some problems with making it suitable for all cases. I'd prefer to stay at like it's now since I've covered all attr actions. </p>

<p>.attr() isn't for event based attributes, that's what .on() is for, e.g. .on('click', ...), or it's shorthand version, .click(). </p><p>To re-iterate Dessamator's point, you should always escape user input before outputting it, or validate it if there's a set of pre-specified values is can take. .text() is suitable for this, .attr() is not and has never claimed to be. </p>

<p>Ah, ok, I will fix it. </p>

nice