Veracode is pointing out the issue Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in the below line.
$('#SummaryDiv').html(data);
$.ajax({
url: 'Target_URL',
type: 'GET',
datatype: "json",
traditional: true,
cache: false
}).done(function (data) {
$('#SummaryDiv').html(data);
I am binding the MVC View Result to DIV via the ajax call. Checked the articles in the stackoverflow but no luck. What could be the possible solution to fix this veracode issue.
I have followed the below articles and fixed the issue by encoding the html received from MVC ViewResult.
DOM based XSS Prevention Cheat Sheet https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md
OWASP Enterprise Security API (ESAPI) https://github.com/ESAPI/owasp-esapi-js/blob/28b2767731e672c620b86701a9f98f235951392b/README.md
ESAPI method to encode un-trusted content: $ESAPI.encoder().encodeForHTML(content)