Can malicious javascript code be injected through $()?

With that statement, you're asking jQuery to perform a query based on a selector. Being the string a selector, it can't do any harm.


Yes, if you're using an older version of jQuery, this is possible in certain cases. This was fixed (here's the commit) in version 1.6.3. Also see the corresponding bug report.

The commit includes a test case that clarifies the issue:

jQuery( '#<img id="check9521" src="no-such-.gif"' +
        'onerror="jQuery._check9521(false)">' ).appendTo("#qunit-fixture");

With jQuery versions prior to 1.6.3, the onerror code would have been executed.

Your particular example (just checking for the length) doesn't have this issue, though.


As of 22/10/2012, jQuery 1.8.2:

Yes, XSS attacks are possible.

var input = "<script>alert('hello');</script>"
$(input).appendTo("body");

See demo. It seems the jQuery team has acknowledged this and has plans to address it in jQuery 1.9.

As of jQuery 1.8, use $.parseHTML if you expect user input to be html:

var input = "<script>alert('hello');</script>"
$($.parseHTML(input)).appendTo("body");​

See demo, no alerts.


In the case OP describes however, the following:

var untrusted_js_code = 'alert("moo")';
$('#' + untrusted_js_code).show();

Will translate to this:

$('#alert("moo")').show();

This is intrepreted by jQuery as a CSS selector, thanks to the preceding # in the string, which as oppposed to html cannot have in-line JS code, so it is relatively safe. The code above would only tell jQuery to look for a DOM element by that ID, resulting in jQuery failing to find the element and thus not performing any action.