I have unescaped data from users. So is it safe to use like this:

Question

0

Editorial Team

Asked: May 31, 20262026-05-31T10:32:18+00:00 2026-05-31T10:32:18+00:00

I have unescaped data from users. So is it safe to use like this:

0

I have unescaped data from users.

So is it safe to use like this:

var data = '<test>a&f"#</test>'; // example data from ajax response
if (typeof(data) === 'string')
    $('body').text(data);

Can I use like this or there is some problems like encoding or some specific symbols that I should be careful and add more strict validation?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-31T10:32:20+00:00

When you set the text of an element using the text method, jQuery uses createTextNode internally, which escapes all special characters.

From the jQuery docs:

We need to be aware that this method escapes the string provided as
necessary so that it will render correctly in HTML. To do so, it calls
the DOM method .createTextNode(), which replaces special characters
with their HTML entity equivalents (such as < for <)

So yes, it should be safe. Here’s your example in jsfiddle. Notice how the tags appear as literal text.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have unescaped data from users. So is it safe to use like this:

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply