Using .html() in MVC to display dialog gives XSS error in Veracode

Question

A system we developed was run through Veracode for security flaws. It highlighted an "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" item on a javascript function that pops up a view in a modal dialog. The view has no data entry and doesn't display previously entered data.

Is the problem the transaction id? It is system generated and held in a hidden field. If so, should HTML.Encode() applied to the transactionID in the razor syntax of the view (that is returned by the $.get) be sufficient to mitigate this issue? In fact Veracode seems to raise this error for every usage of .html() in our javascript. Pulling the html() out of the JS files is too big a task. I would appreciate any help anyone could give.

var $dialog = $('<div></div>');
$dialog.dialog(
{ 
    autoOpen: false,
    height: 300,
    width: 500,
    modal: true,
    title: ''
});
DisplayModalStatement($dialog);

function DisplayModalStatement(modalDialog) {           
    var transactionid = $('#TransactionId').val();
    $.get($.globals.appActionRoot + '/StatementDialog',
        { transactionId: transactionid, wizardType: GetWizardType() }, 
        function (data) {
              modalDialog.html(data);
              modalDialog.dialog('open');
        }
    );      
}

Answer 1

It is giving you a warning as potentially untrusted data is being used to set an HTML element with raw markup.

Yes, you should HTML encode transaction ID server side if this is the only variable inside data .