When using parameters from the URL, it should always be sanitized before using it in your javascript.
Using jQuery you can easily do:
var safeString = $(“<span></span>”).text(unsafeString).html();
Using plain javascript:
var entityMap = {
"&": "&",
"<": "<",
">": ">",
'"': '"',
"'": ''',
"/": '/'
};
function escapeHtml(string) {
return String(string).replace(/[&<>"'\/]/g, function (s) {
return entityMap[s];
});
}
The stackoverflow discussion can be found here: http://stackoverflow.com/questions/24816/escaping-html-strings-with-jquery