jQuery

has this

quirk,
whereby one can't pass user data to the $() function:

$('<img src=1 onerror=alert(document.domain)>')    

The $() code ends up creating an HTML node, which can lead to an XSS vulnerability.

This vector for bugs has been known for a while (bug #9521; bug #11617), but can unfortunately still be exploited in some cases.

{ modified for grammar/effect from src

props to @alokmenghrajani }