308
seCure develoPment For mobIle APPs
if(confirm.val() = = pass.val()){
confirm.parent().removeClass('bad').addClass('good');
}
else{
confirm.parent().removeClass('good').addClass('bad');
}
});
JavaScript and jQuery Escaping and Filtering
Whenever data is being retrieved from a source that has not been filtered or escaped
by you, then the possibility exists for an XSS attack, depending on how JavaScript or
jQuery display the data on the HTML page. e following snippet shows methods
that allow XSS to execute, and methods that prevent execution.
$(function() {
//result from favorite RSS feed site
var rss = "<script>alert('attack');</script>";
//Allow XSS to Execute
$("#feed").html(rss);
$("#feed").append(rss);
//Prevent XSS from Executing