Cross-Site Scripting vulnerability with JavaScript and JQuery

Think you’ve protected your site against Cross-Site scripting attacks by escaping all the content that you’ve rendered? Thought about your javascript? Here’s a neat bug that got us today. This example is contrived to show a point. <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>XSS Example</title> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js"></script> <script> $(function() { $('#users').each(function() { var select = $(this); var option = select.children('option').first(); select.after(option.text()); select.hide(); }); }); </script> </head> <body> <form method="post"> <p> <select id="users" name="users"> <option value="bad">&lt;script&gt;alert(&#x27;xss&#x27;);&lt;/script&gt;</option> </select> </p> </form> </body> </html> See the problem?...