The JSON response if fine on its own but at the time of insertion it has to be made safe.
markup
is a sting which is then converted to DOM via $('body').append(markup);
While above is not a security risk as it is, it is bad practice and has performance implications.
In general, converting strings to DOM is not a good idea. Additionally, whenever strings are converted to DOM (through whatever method) it has to be checked thoroughly to make sure they are safe.
As you are converting values to integers, the result is safe eg:
result = (input.val() * rates.rates[thatSelectedCurrency]).toFixed(2);
If you change the process, it should be safe.
Avoid converting strings to DOM ie markup
or the following etc:
output.html('¯\\\_(ツ)_/¯');
JQuery.html()
is similar to innerHTML
and converts strings to DOM. While above is safe, the better way is to use textContent
or JQuery.text()
.
Instead of the HTML entities, you can use their Unicode which works fine with textContent
.
Finally, another problem of converting strings to DOM is that reviewer has to track each variable through many files to find out where they have come from and if they are safe. That significantly complicates the review process and adds to your waiting time.