I use the Veracode Platform to analyze some projects. I currently have a project in Angular. I have a select list in my application.
Veracode informs that by selecting an option it is possible to execute a malicious JavaScript, called XSS. As there are many XSS payloads and the simplest JavaScript injections don't work, I need input from more experienced developers.
This my code:
<kendo-treeview
class="po-md-12 po-mt-1 po-mb-1"
kendoTreeViewDragAndDrop
kendoTreeViewDragAndDropEditing
kendoTreeViewExpandable
[expandBy]="'id'"
[(expandedKeys)]="expandedKeys"
kendoTreeViewHierarchyBinding
[childrenField]="'children'"
[(nodes)]="treeviewItems"
[textField]="'name'"
kendoTreeViewSelectable
[(selectedKeys)]="selectedKeys"
(nodeDrop)="handleDrop($event)"
(removeItem)="handleRemovedNode()"
(selectionChange)="handleSelection($event)"
[selectBy]="'id'"
[isSelected]="isItemSelected"
>
The vulnerable line is this:
(selectionChange)="handleSelection($event)"
Is it possible to run a JavaScript or exploit XSS in this code? As there are many JavaScript payloads to exploit XSS vulnerabilities, it is not possible to inject JavaScript to exploit XSS?
