Is jQuery .text() method XSS safe?

Question

I have unescaped data from users.

So is it safe to use like this:

var data = \'a&f\"#\'; // example data from ajax resp         


        

Answer 1

Unlike the .html() method, .text() can be used in both XML and HTML documents. The result of the .text() method is a string containing the combined text of all matched elements. (Due to variations in the HTML parsers in different browsers, the text returned may vary in newlines and other white space.)

.text(data) would strip the away and leave you with a&f#