如何修复Checkmarx错误:“…不受信任的数据直接嵌入输出…”

huangapple go评论82阅读模式
英文:

How to fix checkmarx error "... untrusted data is embedded straight into the output ..."

问题

In a frontend app that uses jQuery I have an oversimplified code like this (line numbers included):

...
129: var buttonId = $('some-element').closest('...').siblings('...').attr('id');
130: $('#' + buttonId).focus();
...

And in checkmarx I get this error:

The application's {method_name} embeds untrusted data in the generated output with $, at line 130 of {file_name}. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

So - what should I do here? ... Cause this ID attribute is just an ID, you know ... so I have no idea what sanitization or encoding I should perform on it.

英文:

In a frontend app that uses jQuery I have an oversimplified code like this (line numbers included):

...
129: var buttonId = $('some-element').closest('...').siblings('...').attr('id');
130: $('#' + buttonId).focus();
...

And in checkmarx I get this error:

The application's {method_name} embeds untrusted data in the generated output with $, at line 130 of {file_name}. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

So - what should I do here? ... Cause this ID attribute is just an ID, you know ... so I have no idea what sanitization or encoding I should perform on it.

答案1

得分: 1

我刚遇到一个类似的问题。

尝试替换:

$('#' + buttonId).focus();

为:

jQuery('#' + buttonId).focus();

不知何故,对于这种情况,扫描器不知道变量$jQuery变量相同。

试一试 ;o)

英文:

I just had a similar issue.

Try replace:

$('#' + buttonId).focus();

With:

jQuery('#' + buttonId).focus();

Somehow for this scenario the scanner doesn't know that the variable $ is same as jQuery variable.

Try it out ;o)

huangapple
  • 本文由 发表于 2023年5月17日 21:59:02
  • 转载请务必保留本文链接:https://go.coder-hub.com/76272944.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定