0

For my Project I have the Jquery 2.2.0 version and recently The Checkmarx scan is added for the project.

I am trying to find out a solution for "Client DOM Stored XSS" error. I have used the DomPurify library for the html sanitization before appending the html to the node but no luck! Any suggestions how Checkmarx flags this or any recommended/accepted library for "html sanitization" by checkmarx would be great. Below is the code snippet.

The application's function embeds untrusted data in the generated output with append, at line 241 of Sample.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

....
241. success: function (data) {
//The htmlStr is formed from the data returned by ajax call. There are some concatenation and simple business logic before its added to a DOM.
....
256.
jQuery(row).find('.MyClass').append(DOMPurify.sanitize(htmlStr, { SAFE_FOR_JQUERY: true }));

Its not recognizing DOMPurify.sanitize. Also tried with $.parseHTML()

Srikant Sahu
  • 839
  • 1
  • 6
  • 16
  • Please indicate your Checkmarx version and hotfix. DOMPurify may need to be added via query tuning depending on the version you're using. – NathanL Nov 06 '22 at 14:43
  • @srikant HAve you got any solution for this ? i am also facing same issue. – santoshe61 Jun 01 '23 at 07:07
  • Yes @santoshe61 - Its a weird solution though. use a different variable ex: JQ = jQuery.noConflict()... then use JQ – Srikant Sahu Jun 11 '23 at 17:17

0 Answers0