When you use the Jquery.append (), jquery.html () method, it is executed if the content contains <script> scripts without any processing.
The simple example code is as follows:
1 var xssstr = ' <script>console.log (1) </script> '; 2 $ (' #test '). HTML (XSSSTR);
The console prints "1".
The same situation also exists in jquery.append (), since jquery.html () is also called Jquery.append ().
Since execution <script> scripting are present, there is a risk of XSS.
The workaround is also simple and will need to be escaped as a string of arguments:
var xssescapestr = Xssstr.replace (/</g, ' < '). Replace (/>/g, ' > ');
This output on the page is simply a section of a <script> string that is not executed.
But this is not a jquery bug, look at the jquery source code, Jquery.append () <script> processing seems to be intentional.
The Jquery.append () method is designed with the intention of allowing scripts to be executed, so jquery does not recommend using such things as URLs, cookies, input inputs, etc. as append () parameters.
If there is a need, then escape it.
XSS Vulnerability in Jquery.append (), jquery.html ()