Do jQuery's val() and prop() methods html-escape values? Do jQuery's val() and prop() methods html-escape values? jquery jquery

Do jQuery's val() and prop() methods html-escape values?


jquery html escaping

Not really. .val() is used to set a form field's value attribute, so escaping isn't really necessary there. You'll be setting the value via the DOM, so it's not like you're constructing HTML through string concatenation. .prop(), on the other hand, doesn't even interact with attributes at all - just DOM properties, so you don't need to working about HTML escaping their either.

Edit: for the sake of clarification, I'm assuming that you're asking this because you're concerned about .prop() or .val() as an XSS attack vector (or just an opportunity to shoot yourself in the foot)? If that's the case, you need to remember that when setting attributes and properties via the DOM, the values that you set are essentially sandboxed to the attribute or value you were interacting with. For example, given the following:

<div id="foo"></div>

And you attempted to abuse an attribute value, such as:

$('#foo').attr('rel', '"></div><script>alert("bang");</script><div rel="');

You might be concerned that this would result in something like the following:

<div id="foo" rel=""></div><script>alert("bang");</script><div rel=""></div>

This will never happen, though. You will indeed have a rel attribute with the evil-looking string as its value, but no new markup or DOM nodes will be created. The string itself isn't escaped - it's just simply not interpreted as markup. It's just a string and that's it.

jquery html escaping

They expect strings, not HTML. You don't need to escape anything.

The methods themselves don't do any escaping either, the underlying DOM APIs they use also deal in strings, not HTML.

Once you start using JavaScript you almost never need to worry about HTML syntax, the only exception I can think of is when dealing with the innerHTML property which explicitly deals with (de)serialising the DOM to and from HTML.

jquery html escaping

I just want to add that you DO have to worry when inserting values inside attributes with side effects which can cause code execution. These include image src attribute which can be used for xss. See: https://www.owasp.org/index.php/Script_in_IMG_tags

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last