如何防止Java客户端DOM代码注入漏洞?
[英]How to prevent Client DOM Code Injection Vulnerability in Javascript?
问题描述
Method function at line xxx of .../addAnnouncements.js gets a client-side controlled data for the json element. 
... / addAnnouncements.js的第xxx行的方法函数获取json元素的客户端控制数据。 This element's value is used in client-side code without being properly sanitized or validated and is eventually integrated into the HTML code in function at linse yyy and zzz of .../addAnnouncements.js. 该元素的值在未经适当清理或验证的情况下用于客户端代码中,并最终集成到... / addAnnouncements.js的liny yyy和zzz中的HTML代码中。
Script as follows: 脚本如下:
function addAnnouncement() {
try {
var formData = $('form').serialize();
$('div.block').block();
jQuery.ajax({
type: "POST",
url: "bat.ajax",
data: formData,
dataType: 'json',
cache: false,
xxx: success: function(json) {
yyy: if(json.ERROR == '') {
alert("The announcement has been saved");
$('div.block').unblock();
} else {
zzz: alert(json.ERROR);
$('div.block').unblock();
}
},
error: function() {
$('div.block').unblock();
alert('The request could not be fulfilled due an internal error, please try again.');
}
});
} catch(e) {}
}
The following lines may enable a DOM code injection attack ....... 以下几行可能导致DOM代码注入攻击.......
if(json.ERROR =='') {
and 和
alert(json.ERROR);
Could some help me how to sanitize the above scenario to satisfy Checkmarx? 有什么可以帮助我解决以上问题的方法,以使Checkmarx满意吗?
1 个解决方案
解决方案1
0 2017-09-20 07:32:50
Please refer below code It should be help full- 请参考下面的代码,它应该是完整的帮助
JSON is in string format so we can't access by dot(.)
JSON.parse() is used for JSON to Object conversion.
function addAnnouncement() { 函数addAnnouncement(){
try {
var formData = $('form').serialize();
$('div.block').block();
jQuery.ajax({
type: "POST",
url: "bat.ajax",
data: formData,
dataType: 'json',
cache: false,
xxx: success: function(json) {
var json = JSON.parse(json);
yyy: if(json.ERROR == '') {
alert("The announcement has been saved");
$('div.block').unblock();
} else {
zzz: alert(json.ERROR);
$('div.block').unblock();
}
},
error: function() {
$('div.block').unblock();
alert('The request could not be fulfilled due an internal error, please try again.');
}
});
} catch(e) {}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.