I can't find anything in the documentation about val()
and prop()
and escaping.
Are they intended to escape values when used as setters?
I can't find anything in the documentation about val()
and prop()
and escaping.
Are they intended to escape values when used as setters?
Not really. .val()
is used to set a form field's value
attribute, so escaping isn't really necessary there. You'll be setting the value via the DOM, so it's not like you're constructing HTML through string concatenation. .prop()
, on the other hand, doesn't even interact with attributes at all - just DOM properties, so you don't need to working about HTML escaping their either.
Edit: for the sake of clarification, I'm assuming that you're asking this because you're concerned about .prop()
or .val()
as an XSS attack vector (or just an opportunity to shoot yourself in the foot)? If that's the case, you need to remember that when setting attributes and properties via the DOM, the values that you set are essentially sandboxed to the attribute or value you were interacting with. For example, given the following:
<div id="foo"></div>
And you attempted to abuse an attribute value, such as:
$('#foo').attr('rel', '"></div><script>alert("bang");</script><div rel="');
You might be concerned that this would result in something like the following:
<div id="foo" rel=""></div><script>alert("bang");</script><div rel=""></div>
This will never happen, though. You will indeed have a rel
attribute with the evil-looking string as its value, but no new markup or DOM nodes will be created. The string itself isn't escaped - it's just simply not interpreted as markup. It's just a string and that's it.
They expect strings, not HTML. You don't need to escape anything.
The methods themselves don't do any escaping either, the underlying DOM APIs they use also deal in strings, not HTML.
Once you start using JavaScript you almost never need to worry about HTML syntax, the only exception I can think of is when dealing with the innerHTML
property which explicitly deals with (de)serialising the DOM to and from HTML.
I just want to add that you DO have to worry when inserting values inside attributes with side effects which can cause code execution. These include image src attribute which can be used for xss. See: https://www.owasp.org/index.php/Script_in_IMG_tags