I've just completed my first Veracode static scan of an asp.net mvc web application, and Veracode found dozens of CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page flaws.
Nearly all of them involve the use of the jquery html() method. Our pattern is to make a $.ajax() call in javascript, and in the success event display the results of the $.ajax call in an html element, like so:
success: function(data) {
$('#elementid').html(data);
}
In most cases these $.ajax() calls are to MVC controller methods that return MVC partial views, chock full of html tags and etc.
How would we alter our javascript so that calls like this are not flagged as CWE-80 flaws by Veracode? Can we still do client-side $.ajax calls to controller methods that return blobs of html and pass muster with Veracode?
I scheduled a Veracode consultation and learned that Veracode simply marks all $.html() calls as flaws of Medium severity. There are two courses of action open to us:
We are choosing to mark all of these flaws as "mitigated."