Fix a warning thrown by HTML Validator

Question

I have some JavaScript code in my php website.
This code uses jQuery, and builds a < select > menu using ajax calls.

Here is the code

sel.append('<option value="' + data[i].id + '">' + data[i].nombre + '</option>');

And this gives me the following warning

line 240 column 82 - Warning: '<' + '/' + letter not allowed here

Does anyone know how can I fix this warning, so my html validates? Thanks

Answer 1

The issue is that any </ sequence — known as ETAGO — ends a CDATA element such as a <script>. You can get away with </ in browsers but not </script.

The simplest workaround is to break up the </ sequence with a backslash-escape:

sel.append('<option value="' + data[i].id + '">' + data[i].nombre + '<\/option>');

However this line still has problems, because you aren't HTML-escaping your id and nombre values. If they may contain <, & or ", you've just built yourself a client-side XSS vulnerability!

So either HTML-escape your text values before putting them into strings, or, perhaps simpler, just use the standard DOM:

sel.append(new Option(data[i].nombre, data[i].id));