After checkmarx scan, we got report about Client Potential XSS and tried to fix it
We already tried the following utility to encode content but none works
https://github.com/cure53/DOMPurify
https://github.com/ESAPI/node-esapi/
https://www.npmjs.com/package/xss-filters
The reported problem code
$(element).after("<label class='error' style='color: red;'> "+$ESAPI.encoder().encodeForHTML($(error).text())+"</label>");
I understand inject variable to html component should be carefully handled but I don't know how to meet checkmarx requirement.
Hope someone experienced can help
Thanks,
Solution proposed by @fgb is almost right. Checkmarx seems not like concatenation when creating HTML.
The following code might not good enough, but it pass checkmarx test
var label = $("<label class='error' style='color: red;'>");
label.text($(error).text());
$(element).after(label);