[英]How to fix Veracode - Cross site scripting - CWE ID 80 - Basic XSS - use of $(item) in .each function
So, when our web application is scanned for Veracode, I get many Cross-Site Scripting flaws, 因此,当我们在Web应用程序中扫描Veracode时,我发现许多跨站点脚本缺陷,
"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"(CWE ID 80).
“网页中与脚本相关的HTML标记的不正确中和(基本XSS)”(CWE ID 80)。
And, out of few flaws we have, I could not figure out how to fix this particular scenario. 而且,由于存在一些缺陷,我无法弄清楚如何解决此特定情况。 Below is my piece of code -
以下是我的代码-
$(".ui-dialog-buttonset .ui-button:visible").each(function(index, item) {
var label = $(item).text();
if (label == "Save" || label == "Create")
$(item).click();
});
I can see flaw reported on $(item).text();
我可以看到在
$(item).text();
上报告了缺陷$(item).text();
and $(item).click();
和
$(item).click();
lines. 线。
I understand that, for text I can use something like DOMPurify.sanitize
to clean the string. 我知道,对于文本,我可以使用
DOMPurify.sanitize
类的DOMPurify.sanitize
来清理字符串。
But, I could not understand, why veracode is reporting for $(item).click();
但是,我不明白,为什么Veracode为
$(item).click();
Is it because the $(item)
itself is not safe? 是因为
$(item)
本身不安全吗?
If yes then, how do I fix it? 如果是,那我该如何解决? I would greatly appreciate any help in this.
我将不胜感激。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.