Can malicious javascript code be injected through $()?

Question

Example:

if($(\'#\' + untrusted_js_code).length) > 0
  ....`

Normally \"untrusted_js_code\" should be a simple string representing the I

Answer 1

As of 22/10/2012, jQuery 1.8.2:

Yes, XSS attacks are possible.

var input = ""
$(input).appendTo("body");

See demo. It seems the jQuery team has acknowledged this and has plans to address it in jQuery 1.9.

As of jQuery 1.8, use $.parseHTML if you expect user input to be html:

var input = ""
$($.parseHTML(input)).appendTo("body");​

See demo, no alerts.

---

In the case OP describes however, the following:

var untrusted_js_code = 'alert("moo")';
$('#' + untrusted_js_code).show();

Will translate to this:

$('#alert("moo")').show();

This is intrepreted by jQuery as a CSS selector, thanks to the preceding # in the string, which as oppposed to html cannot have in-line JS code, so it is relatively safe. The code above would only tell jQuery to look for a DOM element by that ID, resulting in jQuery failing to find the element and thus not performing any action.