Can malicious javascript code be injected through $()?

Question

Example:

if($(\'#\' + untrusted_js_code).length) > 0
  ....`

Normally \"untrusted_js_code\" should be a simple string representing the I

Answer 1

Yes, if you're using an older version of jQuery, this is possible in certain cases. This was fixed (here's the commit) in version 1.6.3. Also see the corresponding bug report.

The commit includes a test case that clarifies the issue:

jQuery( '#' ).appendTo("#qunit-fixture");

With jQuery versions prior to 1.6.3, the onerror code would have been executed.

Your particular example (just checking for the length) doesn't have this issue, though.