Protecting against XSS when displayed using Ajax

Question

data returned from the server is susceptible to XSS. Do I need to sanitize the data at the server before sending it to the client using something like htmlspecialchar(), or does $.get() midigate the XSS? Thank you

$.get('getData.php',
function (data){
    $('#div1').text(data.div1);
    $('#div2').html(data.div2);
    $('#textarea').val(data.textarea);
},'json');

Answer 1

$('#div1').text(data.div1);

This is not suceptible to XSS since you're changing the text of the element. This takes care of what you use htmlspecialchars for.

$('#div2').html(data.div2);

This is, since you're changing the html and not the text, so if you don't know your response someone could put a <script> tag there and run arbitrary code on your page.

$('#textarea').val(data.textarea);

Is also ok, since it changes the content of a text area.