protect ajax & jquery injection

Question

How can I protect against injection? (jQuery & ajax)

<input type="text" id="name" name="name" /> 
<input type="text" id="email" name="email" /> 

var name = $("#name").val();
var mail = $("#email").val();

Output:

$("#logga").html('Name: <b>' + name + ' </b>Comment:<b> ' + comment + '</b>');

Answer 1

There is no way to secure data with JavaScript. because all the code in the client side code is available to the attacker.

But you would have some form of authentication so that only genuine requests from your application returned data;

prefer to read :How can I better protect my php, jquery, ajax requests from malicious users

Answer 2

If you want to ensure that the name/email contents are escaped properly for display, you can run them through .text first or create nodes and append their values with .textContent.

var name = document.createElement('span');
name.textContent = $("#name").val();
$("#logga").html("Name: <b>" + name.textContent);

Answer 3

Do you mean, that the user couldn't damage the produced html code? Then you'll need to escape the html entities:

function htmlEntities(str) {
    return String(str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
}

Output line:

$("#logga").html('Name: <b>' + htmlEntities(name) + ' </b>Comment:<b> ' + htmlEntities(comment) + '</b>');