Is using a URL to call AJAX from a hidden field XSS safe?

Is it XSS safe to do something like this in jQuery?

<html>
...
<input type="text" id="message" value="" />

<input type="hid开发者_运维知识库den" id="url" name="url" value="http://www.mysite.com/ajax-server-code" />

<script>
var url = $('#url');
$.ajax({
url: url,         
dataType: 'json',
success: function(data) {
$('message').html(data.message);
}
});
</script>
...
</html>

Basically, what I do here is:

• Use a hidden field to know which ajax URL to call
• Call the Ajax to the URL
• Use this data to change the DOM

---

Yea that's fine. I don't see any XSS problems with that.

---

The DOM is ediatble using the DOM Inspector in Firefox anyway, so you should never trust the browser to do or have what you think it should. Check any data you receive.