js 代码 $(this).attr('name') 的 checkmarx 扫描问题
[英]checkmarx scan issue with the js code $(this).attr('name')
问题描述
I wrote the below line of code in my js file
我在我的js文件中写了下面这行代码
var radio =
DOMPurify.sanitize($($.parseHTML(decodeURIComponent(encodeURIComponent($
(this).attr('name'))))).text());
and the checkmarx scan throws the below error at the above line并且 checkmarx 扫描在上面的行抛出以下错误
"The application embeds untrusted data in the generated output with $, at the above line of com.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output." “应用程序在生成的 output 中嵌入不受信任的数据,在 com.js 的上述行中。这些不受信任的数据未经适当的清理或编码直接嵌入到 output 中,使攻击者能够将恶意代码注入 output。”
Can someone please tell me what I am doing wrong and what I need to do in order to fix this vulnerability issue?有人可以告诉我我做错了什么以及我需要做什么才能解决这个漏洞问题吗? Thanks in advance提前致谢
I have implemented DOMPurify.sanitize我已经实施了 DOMPurify.sanitize
1 个解决方案
解决方案1
0 已采纳 2022-11-26 19:49:08
I see two conflicting issues in your code.我在您的代码中看到两个相互矛盾的问题。
- You're encoding (this).attr('name') and then decoding it back (why?)您正在编码 (this).attr('name')然后将其解码回来(为什么?)
- You don't need to use parseHtml since (this).attr('name') is already a DOM object您不需要使用 parseHtml,因为 (this).attr('name') 已经是 DOM object
You can simply write it as:你可以简单地把它写成:
var radio = DOMPurify.sanitize(($(this).attr('name')).text());
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.