Security concerns with jquery

Question

I am working on page, which uses a modal dialog to allow a customer to chose an item.

On this dialog, the customer can choose one item from a pre-populated list or write in their own item. Once the user clicks the OK button, the modal goes away, gets the name of the item using .val() and through jQuery's .text() function we enter whatever the item name was into a div element.

Since the customer can write in anything, do I have to be concerned about them putting in a <script></script> tag? Are there any other security things I should be concerned about in this scenario?

I am not worried about the back end as when the user finally submits this form, we have input validation on the back end. I am just concerned about the front end.

Thanks!

Answer 1

If you use jQuery's .text(untrustedString) method, you'll be fine. That method will escape any html or tags.

$('<div>').text("<test>")[0].innerHTML
// returns "&lt;test&gt;"

What you would not want to is use .html(untrustedString) method, as any script tags or other html elements in the string would get created.

$('<div>').html("<test>")[0].innerHTML
// returns "<test></test>"

---

Although, if this will only be shown in their own browser there isn't much security to be gained. You would only be able to attack... yourself? People already have the ability to inject whatever javascript they want into a webpage running in their own browser, should they desire.

The only time this matters to security is if my hacking script tag executed in someone elses browser, which, for instance, beams their cookie to me over the internet and I can assume their identity on your website.

So this isn't about security, it's about your app not exploding when someone enters text that may have meaning to HTML.

That said, in this case, you should definitely use text().