The JSON response if fine on its own but at the time of insertion it has to be made safe.
markup is a sting which is then converted to DOM via
While above is not a security risk as it is, it is bad practice and has performance implications.
In general, converting strings to DOM is not a good idea. Additionally, whenever strings are converted to DOM (through whatever method) it has to be checked thoroughly to make sure they are safe.
As you are converting values to integers, the result is safe eg:
result = (input.val() * rates.rates[thatSelectedCurrency]).toFixed(2);
If you change the process, it should be safe.
Avoid converting strings to DOM ie
markup or the following etc:
JQuery.html() is similar to
innerHTML and converts strings to DOM. While above is safe, the better way is to use
Instead of the HTML entities, you can use their Unicode which works fine with
Finally, another problem of converting strings to DOM is that reviewer has to track each variable through many files to find out where they have come from and if they are safe. That significantly complicates the review process and adds to your waiting time.