The deXSS function escapes text so that it's safe to insert as raw HTML. However, its output gets passed into .val() and .text(), which directly manipulate the DOM and so don't require or support escaping; thus, the escaping breaks the queries. Remove deXSS where superfluous and replace its one non-superfluous use with safe DOM manipulation.
The
deXSSfunction escapes text so that it's safe to insert as raw HTML. However, its output gets passed into.val()and.text(), which directly manipulate the DOM and so don't require or support escaping; thus, the escaping breaks the queries. RemovedeXSSwhere superfluous and replace its one non-superfluous use with safe DOM manipulation.