Secure Node.js chat (avoid XSS)

Question

I\'m building a simple little chat with Node.js and socket.io

When a user types his message, it is broadcasted to all other users.

Server sends the message :

Answer 1

Don't use .html() because that's basically eval on steroids - capable of causing the interpretation of a good variety of languages.

Text is always interpreted as text though:

$('#messages').append($("
", {
    text: data.message
}));