Can malicious javascript code be injected through $()?

Question

Example:

if($(\'#\' + untrusted_js_code).length) > 0
  ....`

Normally \"untrusted_js_code\" should be a simple string representing the I

Answer 1

With that statement, you're asking jQuery to perform a query based on a selector. Being the string a selector, it can't do any harm.