Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.6k views
in Technique[技术] by (71.8m points)

javascript - How to fix Veracode - Cross site scripting - CWE ID 80 - Basic XSS - use of $(item) in .each function

So, when our web application is scanned for Veracode, I get many Cross-Site Scripting flaws,

"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"(CWE ID 80).

And, out of few flaws we have, I could not figure out how to fix this particular scenario. Below is my piece of code -

$(".ui-dialog-buttonset .ui-button:visible").each(function(index, item) {
    var label = $(item).text();
    if (label == "Save" || label == "Create")
        $(item).click();
});

I can see flaw reported on $(item).text(); and $(item).click(); lines.
I understand that, for text I can use something like DOMPurify.sanitize to clean the string.
But, I could not understand, why veracode is reporting for $(item).click(); Is it because the $(item) itself is not safe?
If yes then, how do I fix it? I would greatly appreciate any help in this.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Okay, found fix from DOMPurify library. You can sanitize DOM element too using DOMPurify.
So, below code works -
item = DOMPurify.sanitize(item, {SAFE_FOR_JQUERY:true});


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

1.4m articles

1.4m replys

5 comments

57.0k users

...