on jQuery change... using .html();

OK let's say I have a jQuery fu开发者_Go百科nction... it's an AJAX Post... well after success I do this

$("#title"+id).html(Z);

and Z is var Z=$("#"+X+" textarea.editAnswer").val();.

However if I type in the textarea something like <script>alert('Test');</script> and then press save... it will save it and the test alert will popup. So... how do I fix this?

This is code injection and should be avoided with HTML encoding.

Either:

1. return HTML encoded result from the server (after you've saved it) and populate that into your #title element or
2. use escape() Javascript function to encode it on the client and populate that result into your #title element

Depending on the scenario, you should always use the one that makes it harder for the user to hack. I'd suggest you use server side approach, because users won't be able to override your custom javascript function and address their own twisted agenda...

Your options are escaping the code or using whitelists.

Do you need the html code? Take a look at this question: How to prevent Javascript injection attacks within user-generated HTML

And then these ones:

Script injection - form validation (jquery)

Do you only run htmlspecialchars() on output or is there other functionality you also do?