0

I have this line of code with jquery, and I have been told that this line is vulnerable to xss, because I didn't escape the raw data before inject it using html() function.

Please let me know how to escape the data to make it more secure. (I can use javascript instead if that would solve the problem ie. get element by id etc.)

var data= "Some data from user or elsewhere";

$("output_area").html(data);

Improve this question
1
  • 3
    You're really only vulnerable to persistent XSS if the data comes from the server and was originally inputted by a user before it was stored etc. In other words, validating input is key. Commented Jun 8, 2015 at 19:29

1 Answer 1

Reset to default
2

You'd have to use:

$("output_area").text(data)

If you want to inject HTML code, then you'd need to extract from the data and adding them as texts to HTML code that you yourself construct ($('<p/>').text(extractedParagraph), etc).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for the responds, I have this string '<h2>Heading Text</h2><div> This is the content</div>' <---One big string. I need to inject this whole thing to a div call "output_area". Do you know a way to do this to prevent xss?
Security guru and web developer would be happy if you could have the data as JSON - e.g., { h: "Heading Text", p: "This is the content" } - and then .text() them in - e.g., $('#container').append($('<h2/>').text(data.h)).append($('<p/>').text(data.p)).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.