Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Document escaping HTML, side-effects of scripts injected via .html() #23

addyosmani opened this Issue May 17, 2012 · 3 comments


None yet
3 participants

addyosmani commented May 17, 2012

From Dave:

The pages for APIs like .html() don't mention this problem, in fact we don't even mention that scripts injected via .html() are executed so I'm adding a needsdocs here. (Of course, just about any API that accepts HTML strings does this but it might surprise some devs.)

More info on this thread: http://bugs.jquery.com/ticket/11773


kswedberg commented Jun 3, 2012

Also applies to append, appendTo, prepend, prependTo, after, insertAfter, before, insertBefore, etc.


dmethvin commented Jan 26, 2014

How about this as a new reusable note that we put in all of those entries:

By design, any jQuery constructor or method that accepts an HTML string (jQuery(), .append(), .after(), etc.) can potentially execute code. This can occur by injection of script tags or use of HTML attributes that execute code, e.g., img onload. Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. Remove or escape any user input before adding it to the document.

Linking, formatting to be done.

@ghost ghost assigned dmethvin Jan 26, 2014


kswedberg commented Jan 26, 2014

Looks great, @dmethvin! I'm adding the note now

@kswedberg kswedberg closed this in c3ceeb4 Jan 26, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment