Can malicious javascript code be injected through $()?

Question

Example:

if($(\'#\' + untrusted_js_code).length) > 0
  ....`

Normally \"untrusted_js_code\" should be a simple string representing the I

Answer 1

It's not as clear as others are saying. The untrusted code won't be able to do XSS (as long as you have a sufficiently new version of jQuery, as balpha points out), but it can hang the user's browser or make your code receive unexpected input.

For example, if untrusted_js_code was :input, the translation would be:

$("#:input")

and jQuery seems to just ignore the # and match on :input. Seriously, open a console and run that bit of code on this page. (This appears to only work with pseudoclasses.)

A nefarious party could give you a computationally intensive selector (very simplistically :not(.asdf):not(.asdf) tens of thousands of times) which takes seconds (or minutes...) to process.

(Also, there is the possibility of browser bugs, so a selector might be able to be constructed to crash the users web browser.)