Hee: Is jQuery's $ safe from XSS? -

Friday, 15 March 2013

in jquery:

$('<script>alert("foo");</script>') //  nil shows   // wrap in <p>  $('<script>alert("foo");</script>').wrap('<p>') // oh no, alert popped up.

is $('any string ever') able cause javascript execute on browser?

no $ not xss safe.

you can inject arbitrary javascript using trick.

$("<img src=x onerror=alert(/xss/.source)>")

jquery xss

Hee