Avoid Veracode CWE-80: Improper Neutralization of Script-Related HTML in jquery htm() method

Question

I've just completed my first Veracode static scan of an asp.net mvc web application, and Veracode found dozens of CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page flaws.

Nearly all of them involve the use of the jquery html() method. Our pattern is to make a $.ajax() call in javascript, and in the success event display the results of the $.ajax call in an html element, like so:

success: function(data) {
    $('#elementid').html(data);
}

In most cases these $.ajax() calls are to MVC controller methods that return MVC partial views, chock full of html tags and etc.

How would we alter our javascript so that calls like this are not flagged as CWE-80 flaws by Veracode? Can we still do client-side $.ajax calls to controller methods that return blobs of html and pass muster with Veracode?

Answer 1

I scheduled a Veracode consultation and learned that Veracode simply marks all $.html() calls as flaws of Medium severity. There are two courses of action open to us:

1. Mark the flaw as "mitigated" with an explanation, or
2. Change the code to remove all calls to $.html().

We are choosing to mark all of these flaws as "mitigated."

Answer 2

Granted this post is almost 2 years old, yet I hit on it as I just ran into the same issue. Mitigation was not an option for us. Luckily, we found the JavaScript WebAPI on Mozilla Developer Network.

In our case we are creating a dropdown list and appending each option via jquery append(). The Web API sanitizes the data enough that Veracode should allow the append or html method calls.

https://developer.mozilla.org/en-US/docs/Web/API