user3198603
Reputation: 5836
Is jQuery .attr() method XSS safe?
Here is my jquery code snippet
var testURL = $(location).attr('search').split('&');
....
$(location).attr('search',testURL.join('&'));
Is attr() method XSS safe. Looks like not as i did not find anything related to escape at docs If not how can i escape it ?
UPDATE :-
Basically my question is in context of getting and setting both.First i am getting $(location).attr('search').split('&');and doing split on it.
Can there be any here here if query string contains malicious data?
Also while setting i am doing $(location).attr('search',testURL.join('&'), what if testURL contains malicious data ?
Upvotes: 2
Views: 2716
Answers (1)
Barmar
Reputation: 781721
$(location).attr('search', whatever);
is equivalent to
location.search = whatever;
So it's no more or less safe than the plain Javascript version.
Upvotes: 3
Related Questions
- Is it possible to perform a XSS attack using jQuery's .attr(attributeName, value) method in the following context?
- Is it possible to perform a XSS attack using jQuery's .attr("href", value) method for <a> tags?
- Is this vulnerable to dom-based xss?
- Is this jQuery pattern browser-safe: "attr('foo') || 'default'"?
- Is jQuery .text() method XSS safe?
- Preventing XSS when using .attr('href', url) in jQuery
- Is jQuery's $ safe from XSS?
- Escaping of attribute values using jQuery.attr()
- Does jQuery attr allow for non standards?
- jQuery's attr() escaping ampersands