0

A system we developed was run through Veracode for security flaws. It highlighted an "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" item on a javascript function that pops up a view in a modal dialog. The view has no data entry and doesn't display previously entered data.

Is the problem the transaction id? It is system generated and held in a hidden field. If so, should HTML.Encode() applied to the transactionID in the razor syntax of the view (that is returned by the $.get) be sufficient to mitigate this issue? In fact Veracode seems to raise this error for every usage of .html() in our javascript. Pulling the html() out of the JS files is too big a task. I would appreciate any help anyone could give.

var $dialog = $('<div></div>');
$dialog.dialog(
{ 
    autoOpen: false,
    height: 300,
    width: 500,
    modal: true,
    title: ''
});
DisplayModalStatement($dialog);

function DisplayModalStatement(modalDialog) {           
    var transactionid = $('#TransactionId').val();
    $.get($.globals.appActionRoot + '/StatementDialog',
        { transactionId: transactionid, wizardType: GetWizardType() }, 
        function (data) {
              modalDialog.html(data);
              modalDialog.dialog('open');
        }
    );      
}
Christopher Marshall
  • 10,678
  • 10
  • 55
  • 94
Seamus Barrett
  • 1,145
  • 1
  • 10
  • 15
  • I would guess transactionId is not the problem, but that it would be complaining about the html() call. This is because the data variable could contain script, and script would be executed at runtime from that call, and could cause an XSS attack. I don't know what it would take to get VeraCode to complain; hopefully there is documentation on that somewhere? – Brian Mains Oct 19 '15 at 18:43

1 Answers1

0

It is giving you a warning as potentially untrusted data is being used to set an HTML element with raw markup.

Yes, you should HTML encode transaction ID server side if this is the only variable inside data.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • I think you are right. I have scheduled a discussion with a Veracode representative tomorrow. Hopfully he or she will be able to clear this up. I will report my findings here once complete. Thanks – Seamus Barrett Oct 21 '15 at 13:21
  • @SeamusBarrett I am also getting a warning from Veracode on .html() method. So what was the problem here? What did you find out? problem with the HTML encoding or the data inside it? Please help. – Waqar ul islam May 01 '18 at 20:07
  • Hi, as best as I can remember I spoke with a Veracode engineer and the issue was simply with the use of html() and a possibility of malicious content. We had our client add a mitigation to the Veracode for the issue on the grounds that the source is trusted. I also encoded the transaction id. – Seamus Barrett May 03 '18 at 08:36