Is jQuery .text() method XSS safe?

Question

I have unescaped data from users.

So is it safe to use like this:

var data = \'a&f\"#\'; // example data from ajax resp         


        

Answer 1

The author from http://benv.ca/2012/10/02/you-are-probably-misusing-DOM-text-methods/ argues against using createTextNode or jQuery's .text().

...if you know the context in which you are injecting the value (i.e. not attributes), then this method is safe. My argument is that developers don’t understand those contexts well enough, and sooner or later they will get it wrong.

It is better to use string replacement (of at least <).

Some examples from well-secured libraries:

• Mustache https://github.com/janl/mustache.js/blob/master/mustache.js#L55
• Angular https://github.com/angular/angular.js/blob/v1.3.14/src/ngSanitize/sanitize.js#L438

The #1 OWASP suggestion is:

RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content