I am aware of this, the second snippit of code is in another location (I assumed you would see that I converted it or else I would be getting errors...). I send convert as an object to the service, and then parse the contents to get the desired result (many fields like ID as specified).
Regardless, the string ( malicious script ) once written to in the page will fire. It looks like you put the obj.Message in quotes, which when I tried failed to prevent the script from running.
To be clear. I write to the service like this:
var me = localStorage.getItem('myFirstName');
var test = Appery('messageField').val();
var id = localStorage.getItem('userId');
var convert = '{ "ID": "'+id+'", "Sender": "'+me+'", "Message": "'+test+'"}';
Now the string is stored in the collection.
When I recall the information, I get the string and parse it. Then I write it back to the page.. I do this in two different locations and styles.
1] I pull the object (now string) and map it to the DOM using the arrow mapping. This method fails to prevent the script from executing once it gets inserted in the dom.
2] I built a custom chat panel, which involves manually writing a chat item to an itemlist using .append('<li><...>'+convert.Message+'</...></li>'). This method also fails to prevent the script from executing.