h5lqla
Last Updated: February 25, 2016
·
2.807K
· wyuenho
Img 0675

Safe vs Unsafe jQuery Methods

We all know XSS is bad and we all use jQuery, unfortunately its API doc doesn't do a very good job explaining what jQuery methods are safe to use for unescaped input, and which are not.

Safe

  • .text()
  • .attr() // still needs to be careful when used in an href
  • .prop()
  • .val()

Unsafe

  • $("html code")
  • .html()
  • .append*()
  • .insert*()
  • .prepend*()
  • .wrap*()
  • .before()
  • .after()

4 Responses
Add your response

16780
62e1587dffee28ddfe945002195662cd

I wouldn't consider .attr as a safe method. Example: .attr('href', 'javascript:alert()')

over 1 year ago ·
16781
Img 0675

Good call!

over 1 year ago ·
24491
46b5428a878306d5af0a87fc7b2db499

Superb post, thank you for this!

over 1 year ago ·
25218
46b5428a878306d5af0a87fc7b2db499

Can you please show an example of the XSS safe DOM insertion. Would it be:

jQuery('<div/>', {
    id: 'foo',
    href: 'http://google.com',
    title: 'Become a Googler',
    rel: 'external',
    text: 'Go to Google!'
}).appendTo('#mySelector');

?

Thank you

over 1 year ago ·