Hi Gunnar, thanks for your answer!
So I think your "correct" was related to the
impossibility to trigger an attack using the mentioned bindings?
The
htmlspecialchars function I am using is basically an identical implementation to the PHP native one (see
http://phpjs.org/functions/htmlspecialchars/) - so it should be secure, right?
And regarding to secure bindings, I still fail to see what would be the benefit? As I use a single page app, the templates are "static", ie cannot be modified by a backend script, for example by replacing something there with user generated content.
So therefore my app should be 100% XSS safe, right? So why should I still use these secure bindings? And yes I have some logic in my templates, (sometnhing like this:
<!--ko if: vmData.pages().length > 0 -->) but I again fail to see how these could trigger XSS in any way.