英文:
How to fix checkmarx error "... untrusted data is embedded straight into the output ..."
问题
In a frontend app that uses jQuery I have an oversimplified code like this (line numbers included):
...
129: var buttonId = $('some-element').closest('...').siblings('...').attr('id');
130: $('#' + buttonId).focus();
...
And in checkmarx I get this error:
The application's {method_name} embeds untrusted data in the generated output with $, at line 130 of {file_name}. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
So - what should I do here? ... Cause this ID attribute is just an ID, you know ... so I have no idea what sanitization or encoding I should perform on it.
英文:
In a frontend app that uses jQuery I have an oversimplified code like this (line numbers included):
...
129: var buttonId = $('some-element').closest('...').siblings('...').attr('id');
130: $('#' + buttonId).focus();
...
And in checkmarx I get this error:
The application's {method_name} embeds untrusted data in the generated output with $, at line 130 of {file_name}. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
So - what should I do here? ... Cause this ID attribute is just an ID, you know ... so I have no idea what sanitization or encoding I should perform on it.
答案1
得分: 1
我刚遇到一个类似的问题。
尝试替换:
$('#' + buttonId).focus();
为:
jQuery('#' + buttonId).focus();
不知何故,对于这种情况,扫描器不知道变量$
与jQuery
变量相同。
试一试 ;o)
英文:
I just had a similar issue.
Try replace:
$('#' + buttonId).focus();
With:
jQuery('#' + buttonId).focus();
Somehow for this scenario the scanner doesn't know that the variable $
is same as jQuery
variable.
Try it out ;o)
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论