I have a jquery ajax call that returns XML. On the server we are encoding the xml attributes using the Antixss library from Microsoft, specifically calling Encoder.XmlAttributeEncode.
The results on the server are properly encoded
<data><item att1="Test" val="<script>alert("XSSFIX");</script>" /></data>
But when the xml is returned to the client the xml is showing decoded
<data><item att1="Test" val="<script>alert("XSSFIX")</script>;" /></data>
The attributes are pulled out and appended to the DOM. Looking at best practices on handling this situation.
Update #1 On the client I'm dynamically create a table and inserting the values of the xml attributes similar to this below. Then finally I'm appending the table (string) to a div.
...
tableMarkup += "<tr><td>" + f.getAttribute('att1') + "</td><td>" + f.getAttribute('val') + "</td></tr>";
placeHolderDiv.append($(tableMarkup))
It sounds like you actually need two layers of escaping:
The HTML-escaping should be done on the client (eg, use .text() instead of .html()).
The XML-escaping should be done by your XML library (eg, passing a string to XAttribute; you should not concatenate XML by hand)