避免Veracode CWE-80:jquery htm()方法中与脚本相关的HTML的不正确中和 [英] Avoid Veracode CWE-80: Improper Neutralization of Script-Related HTML in jquery htm() method
问题描述
我刚刚完成了对asp.net mvc Web应用程序的第一次Veracode静态扫描,并且Veracode发现了数十个CWE-80:网页中与脚本相关的HTML标记的不正确中和.
I've just completed my first Veracode static scan of an asp.net mvc web application, and Veracode found dozens of CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page flaws.
几乎所有这些方法都涉及到使用jQuery html()方法.我们的模式是在javascript中进行$ .ajax()调用,并在成功事件中以html元素显示$ .ajax调用的结果,如下所示:
Nearly all of them involve the use of the jquery html() method. Our pattern is to make a $.ajax() call in javascript, and in the success event display the results of the $.ajax call in an html element, like so:
success: function(data) {
$('#elementid').html(data);
}
在大多数情况下,这些$ .ajax()调用是针对MVC控制器方法的,这些方法返回MVC部分视图,塞满html标签等.
In most cases these $.ajax() calls are to MVC controller methods that return MVC partial views, chock full of html tags and etc.
我们将如何更改JavaScript,以免Veracode将此类调用标记为CWE-80缺陷?我们仍然可以对控制器方法进行客户端$ .ajax调用,该方法返回html的blob并通过Veracode传递请求吗?
How would we alter our javascript so that calls like this are not flagged as CWE-80 flaws by Veracode? Can we still do client-side $.ajax calls to controller methods that return blobs of html and pass muster with Veracode?
推荐答案
我安排了一次Veracode咨询,并了解到Veracode只是将所有$ .html()调用标记为中等严重性缺陷.我们可以采取两种行动方式:
I scheduled a Veracode consultation and learned that Veracode simply marks all $.html() calls as flaws of Medium severity. There are two courses of action open to us:
- 通过说明将缺陷标记为已缓解",或
- 更改代码以删除对$ .html()的所有调用.
我们选择将所有这些缺陷标记为已缓解".
We are choosing to mark all of these flaws as "mitigated."
这篇关于避免Veracode CWE-80:jquery htm()方法中与脚本相关的HTML的不正确中和的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!