Protecting jQuery code against XSS is very hard, because so many jQUery functions/methods are XSS sinks. See this question as an example.

When writing plain JavaScript, you must be careful what changes are made to the DOM and what you pass to "eval()", "new Function()", "setTimeout()" and "setInterval()".

When writing jQuery code you must additionaly be careful what you pass to the following functions time because they may call eval() or make change to the DOM:

• jQuery()
• $()
• .after()
• .append()
• .appendTo()
• .before()
• .html()
• .insertAfter()
• .insertBefore()
• .parseHTML()
• .prepend()
• .prependTo()
• .replaceWith()
• .wrap()
• .wrapAll()
• .wrapInner()

As soon as you pass a string you do not control to any of these functions, there is a risk of XSS.

Moreover, this list might not be complete. This is only what I came up with by doing a quick search through the jQuery code.

You can't protect jQuery from XSS. XSS vulnerability occur in your server software. Take look at Exploit_scenarios for a better understanding how XSS works.

A website that outputs data that is user generated has possible XSS vulnerability if it outputs the user generated content unfiltered, because then the user can create a <script/> tag with malicious code. But you need to filter this on the server before sending to the client (browser).

The answer of jigfox is not 100% right. Sometimes, you could use data from the URL directly in JavaScript. Even if you sanitize a link server side, it doesn't mean that another website can't link to your Website using a malicious URL.

I use this URL to proof check my Websites: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet