2

Veracode is pointing out the issue Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in the below line.

$('#SummaryDiv').html(data);

$.ajax({
            url: 'Target_URL',
            type: 'GET',                
            datatype: "json",
            traditional: true,
            cache: false
        }).done(function (data) {               
            $('#SummaryDiv').html(data);

I am binding the MVC View Result to DIV via the ajax call. Checked the articles in the stackoverflow but no luck. What could be the possible solution to fix this veracode issue.

Srinubabu Ravilla
  • 39
  • 3

2 Answers2

0

So you are taking json and putting it directly into a div? I guess that means you don't expect the response to contain any HTML to be rendered, but rather want the JSON displayed as is. So the fix would be to use jQuery's .text() instead of .html()

Edit: If you need to render it as HTML, you should sanitize it with DOMPurify first.

Erlend
  • 4,336
  • 22
  • 25
0

I have followed the below articles and fixed the issue by encoding the html received from MVC ViewResult.

DOM based XSS Prevention Cheat Sheet https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md

OWASP Enterprise Security API (ESAPI) https://github.com/ESAPI/owasp-esapi-js/blob/28b2767731e672c620b86701a9f98f235951392b/README.md

ESAPI method to encode un-trusted content: $ESAPI.encoder().encodeForHTML(content)

Srinubabu Ravilla
  • 39
  • 3