So, when our web application is scanned for Veracode, I get many Cross-Site Scripting flaws,
"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"(CWE ID 80).
And, out of few flaws we have, I could not figure out how to fix this particular scenario. Below is my piece of code -
$(".ui-dialog-buttonset .ui-button:visible").each(function(index, item) {
var label = $(item).text();
if (label == "Save" || label == "Create")
$(item).click();
});
I can see flaw reported on $(item).text(); and $(item).click(); lines.
I understand that, for text I can use something like DOMPurify.sanitize to clean the string.
But, I could not understand, why veracode is reporting for $(item).click();
Is it because the $(item) itself is not safe?
If yes then, how do I fix it?
I would greatly appreciate any help in this.
Okay, found fix from DOMPurify library.
You can sanitize DOM element too using DOMPurify.
So, below code works -
item = DOMPurify.sanitize(item, {SAFE_FOR_JQUERY:true});