I am learning about XSS and am in the process of trying to understand why escaped HTML added to the DOM is triggering XSS vulnerability.
The application will draw a modal overlay for a form (bootstrap) and add in HTML (both escaped and unescaped) to that portion of the DOM document. It gets the data from a request to the server which auto-escapes any user input that has HTML in it. Below is the code that is causing the vulnerability.
$('.update_button').live('click',function(){
$('#name').modal()
var id=$(this).attr('data-id');
$('#form_holder').hide()
$('#form_holder_loading').show()
$.ajax({
url:'/some/path/',
data:'id='+id,
dataType:'json',
success:function(data){
// data is an HTML string with HTML entered by the user encoded
// such that any HTML characters are replaced with their entity
// e.g. '<' becomes '<'
$('#user_form_holder_loading').hide()
$('#user_form_holder').empty().html(data.form)
$('#user_form_holder').show()
}
});
});