Given the following:
jQuery("#SomeTextbox").val("new value for SomeTextbox")
The jQuery code for the val function simply does the following:
this.value = "new value for SomeTextbox";
where this is a reference to a Text object in the DOM that represents a text field with the identifier "SomeTextbox". The string "new value for SomeTextbox" stored as the value property of this DOM object. It is in no way transformed or sanitized. But it is not processed or interpreted by the JavaScript engine (for example, as it would be with InnerHTML ). Therefore, regardless of your val argument, it is not going to do anything. It just changes the value of the string property of the object in the DOM. So yes, that would be safe.
EDIT:
See below for additional information that may be helpful.
In general, putting something in a text field, no matter how malicious it may appear, and no matter how it turns out, is “safe” if it remains in the text field. But it matters a lot when it comes from there.
If the contents of the text field are subsequently displayed in the stream of parsed HTML code, it is no longer safe. A common scenario is to store the contents of a text field in a database, then retrieve it later and display it in the context in which the browser parses, like HTML. If the re-view occurs in the context of another user, it creates an opportunity for an attacker to enter data in a text field in order to gain access to other private information of users in the future.