jQuery .html() function causes CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) warning in Veracode

Question

I ran my web application (built with the Play Framework using Java) through Veracode and it has returned the warning:

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

for my jQuery function .html().

I am updating a <table> element with HTML from a REST call.

Here is the JavaScript:

function getPTPComments() {
    var finalURL = restURL + "/restGetCommentsTable";
    var keyToSend = $("#ptpKey").val();
    var htmlTable = "";

    // Clear the comments table...
    $("#displayCommentsOnTab").empty();

    $.ajax({
        type: "POST",
        url: finalURL,
        data: keyToSend,
        dataType: "text",
        contentType: "text/plain",
        success: function (resp) {
            htmlTable = resp;
        },
        error: function (req, status, err) {
            console.log("tabCommentsTab - something went wrong");
            console.log("tabCommentsTab - req: " + req);
            console.log("tabCommentsTab - status: " + status);
            console.log("tabCommentsTab - err: " + err);
        }
    });

    // Replace table html with htmlTable...
    $("#displayCommentsOnTab").html(htmlTable); // WARNING HERE
}

I found a few posts on this, but not sure how to change my code to remove this warning:

Avoid Veracode CWE-80: Improper Neutralization of Script-Related HTML in jquery htm() method

How to fix “Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)” in PHP output string

https://www.codeproject.com/Questions/1062655/Improper-Neutralization-of-Script-Related-HTML-Tag

If you have any ideas on how to update my code, I look forward to your response.

Your code won't work anyway because you're trying to use the ajax response before the response actually arrives. — Pointy, Aug 08 '18 at 13:49
The code above is working fine. How do I fix the jQuery so I do not receive that warning from Veracode? I appreciate the help. — Dan, Aug 08 '18 at 13:53
It *can't* work. The "success" callback will be invoked long after that `.html()` call is made, because it's the result of an asynchronous HTTP request. As to the Veracode error, as far as I can tell that product is simply wrong in general; it *may* be "dangerous" to update the DOM that way, but there's simply no way it can be sure of that. — Pointy, Aug 08 '18 at 13:55
My other question is, how would you approach writing the code above, if it is not written in the correct sequence? I look forward to your response - thanks! — Dan, Aug 08 '18 at 13:56
@Dan put the last line of code about replacing the table html in the success handler. (not an answer for your warning problem) — Mark Baijens, Aug 08 '18 at 13:58
Put the `$("#displayCommentsOnTab").html(htmlTable);` line *inside* the "success" callback. — Pointy, Aug 08 '18 at 13:58
Thanks! I will do that. Any other ideas on how to avoid that warning? — Dan, Aug 08 '18 at 14:01

score 0 · Answer 1 · answered Aug 09 '18 at 14:24

The html returned by the API is considered unsafe or "tainted". That is why it is being flagged when you inject it into the DOM as HTML.

If you have the ability to change the API or write a new API then one solution would be to make an API which returns the data for the table and not the html table itself. Then you can use the jquery .text() method to insert the data into a table you create in JavaScript. By using the text method you will remove the possibility of injecting arbitrary html or scripts returned by the API.

Alternatively, make absolutely sure all of the data contained in the table is properly escaped and there is no chance of XSS coming from this table before mitigating the finding.

jQuery .html() function causes CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) warning in Veracode

1 Answers1