data returned from the server is susceptible to XSS. Do I need to sanitize the data at the server before sending it to the client using something like htmlspecialchar(), or does $.get() midigate the XSS? Thank you
$.get('getData.php',
function (data){
$('#div1').text(data.div1);
$('#div2').html(data.div2);
$('#textarea').val(data.textarea);
},'json');
$('#div1').text(data.div1);
This is not suceptible to XSS since you're changing the text of the element. This takes care of what you use htmlspecialchars for.
$('#div2').html(data.div2);
This is, since you're changing the html and not the text, so if you don't know your response someone could put a <script> tag there and run arbitrary code on your page.
$('#textarea').val(data.textarea);
Is also ok, since it changes the content of a text area.