如何修复Veracode-跨站点脚本-CWE ID 80-基本XSS-在.each函数中使用$(item) [英] How to fix Veracode - Cross site scripting - CWE ID 80 - Basic XSS - use of $(item) in .each function
问题描述
因此,当我们在Web应用程序中扫描Veracode时,我发现许多跨站点脚本缺陷,
So, when our web application is scanned for Veracode, I get many Cross-Site Scripting flaws,
网页中与脚本相关的HTML标记的不正确中和(基本XSS)"(CWE ID 80).
"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"(CWE ID 80).
而且,由于存在一些缺陷,我不知道如何解决此特定情况.下面是我的代码-
And, out of few flaws we have, I could not figure out how to fix this particular scenario. Below is my piece of code -
$(".ui-dialog-buttonset .ui-button:visible").each(function(index, item) {
var label = $(item).text();
if (label == "Save" || label == "Create")
$(item).click();
});
我可以看到在 $(item).text();
和 $(item).click();
行上报告的缺陷.
我知道,对于文本,我可以使用 DOMPurify.sanitize
之类的东西来清洁字符串.
但是,我不明白,为什么Veracode为 $(item).click();
报告是因为 $(item)
本身不安全吗?
如果是,那我该如何解决?在此方面的任何帮助,我将不胜感激.
I can see flaw reported on $(item).text();
and $(item).click();
lines.
I understand that, for text I can use something like DOMPurify.sanitize
to clean the string.
But, I could not understand, why veracode is reporting for $(item).click();
Is it because the $(item)
itself is not safe?
If yes then, how do I fix it?
I would greatly appreciate any help in this.
推荐答案
好吧,找到了来自 DOMPurify 图书馆.您也可以使用DOMPurify清理DOM元素.
因此,以下代码有效- item = DOMPurify.sanitize(item,{SAFE_FOR_JQUERY:true});
Okay, found fix from DOMPurify library.
You can sanitize DOM element too using DOMPurify.
So, below code works -
item = DOMPurify.sanitize(item, {SAFE_FOR_JQUERY:true});
这篇关于如何修复Veracode-跨站点脚本-CWE ID 80-基本XSS-在.each函数中使用$(item)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!