如何修复Veracode-跨站点脚本-CWE ID 80-基本XSS-在.each函数中使用$(item)
[英]How to fix Veracode - Cross site scripting - CWE ID 80 - Basic XSS - use of $(item) in .each function
问题描述
So, when our web application is scanned for Veracode, I get many Cross-Site Scripting flaws, 
因此,当我们在Web应用程序中扫描Veracode时,我发现许多跨站点脚本缺陷,
"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"(CWE ID 80).
And, out of few flaws we have, I could not figure out how to fix this particular scenario. 而且,由于存在一些缺陷,我无法弄清楚如何解决此特定情况。 Below is my piece of code - 以下是我的代码-
$(".ui-dialog-buttonset .ui-button:visible").each(function(index, item) {
var label = $(item).text();
if (label == "Save" || label == "Create")
$(item).click();
});
I can see flaw reported on $(item).text(); 我可以看到在$(item).text();上报告了缺陷$(item).text(); and $(item).click(); 和$(item).click(); lines. 线。
I understand that, for text I can use something like DOMPurify.sanitize to clean the string. 我知道,对于文本,我可以使用DOMPurify.sanitize类的DOMPurify.sanitize来清理字符串。
But, I could not understand, why veracode is reporting for $(item).click(); 但是,我不明白,为什么Veracode为$(item).click(); Is it because the $(item) itself is not safe? 是因为$(item)本身不安全吗?
If yes then, how do I fix it? 如果是,那我该如何解决? I would greatly appreciate any help in this. 我将不胜感激。
1 个解决方案
解决方案1
0 已采纳 2018-12-17 12:49:56
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.