if($('#' + untrusted_js_code).length) > 0
Yes, XSS attacks are possible.
var input = "<script>alert('hello');</script>" $(input).appendTo("body");
As of jQuery 1.8, use
$.parseHTML if you expect user input to be html:
var input = "<script>alert('hello');</script>" $($.parseHTML(input)).appendTo("body");
See demo, no alerts.
In the case OP describes however, the following:
var untrusted_js_code = 'alert("moo")'; $('#' + untrusted_js_code).show();
Will translate to this:
This is intrepreted by jQuery as a CSS selector, thanks to the preceding # in the string, which as oppposed to html cannot have in-line JS code, so it is relatively safe. The code above would only tell jQuery to look for a DOM element by that ID, resulting in jQuery failing to find the element and thus not performing any action.