Is it really insecure to build HTML strings in Javascript?

Question

The company who hosts our site reviews our code before deploying - they\'ve recently told us this:

HTML strings should never be directly manipulated,

Answer 1

If this.au is somehow modified, it might contain something like this:

">Click to play

If you use DOM manipulation to set the src attribute, the script (or whatever other XSS you use) won't be executed, as it'll be properly escaped by the DOM API.

---

In response to some commentators who are saying that if someone could modify this.au, surely they could run the script on their own: I don't know where this.au is coming from, nor is it particularly relevant. It could be a value from the database, and the DB might have been compromised. It could also be a malicious user trying to mess things up for other users. It could even be an innocent non-techie who didn't realize that writing "def" > "abc" would destroy things.

---

One more thing. In the code you provided, var quizAuLink = $( 'a' ); will not create a new element. It'll just select all the existing ones. You need to use var quizAuLink = $( '' ); to create a new one.