Hello , We recently performed a Veracode static scan on the application. Most of our application behaves dynamic as we insert html/script to the page based on the user selection.
When we ran the veracode static scan we received following flaw for the following code snippet.
$currentDropDown.parents('.selectListRegion').siblings(".pmDifContent").html(result);
it is complaining about the .html(result)
Attack Vector: jQueryResult.html
Description: This call to jQueryResult.html() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with user-supplied input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.
MVC Action method that returns the partial view.
public ActionResult LoadActvity()
{
ViewData["CurrentReasonModelId"] = ViewData["CurrentSubReasonModelId"] = 1;
var reasonData = GetReasonModel();
ReasonViewBuilder.PopulateDataFromSession(null, reasonData.ReasonModels[0].SubReasonModels[0]);
return PartialView(Constants.Constants.NewSubReasonModelGridPartailViewPath,
new ReasonViewModel(reasonData));
}
JQuery code that invokes the above action method and receives result (HTML/Script)
$.get(reasonControllerPath + "Load", function (result) {
$currentDropDown.parents('.selectListRegion').siblings
(".ChildContent").html(result);
// modify control attributes accordingly.
modifyControlAttributesForActivityGrid(currentPanelIndex, $currentDropDown.parents('.selectListRegion').siblings(".premiumDiffChildContent"));
}).always(function () {
$.unblockUI();
});
Result that is being passed to the view :
<script type="text/javascript">
$(document).ready(function () {
$(".aList").tablesorter({ debug: true, selectorHeaders: "thead th" });
$(".activitiesCollectionPanel .thInner").each(function () {
if ($(this).attr("id") != "firstHeader")
$(this).addClass("header");
});
$(".activitiesCollectionPanel .thInner").on("click", function () {
setTimeout(function () {
$(".activitiesCollectionPanel .thInner").each(function () {
if ($(this).attr("id") != "firstHeader")
$(this).removeClass().addClass("thInner " + $(this).parent().attr("class"));
});
}, 10);
})
}
);
</script>
<div class="activitiesCollectionPanel">
<div class="displayText">
<label for="ReasonData_ReasonModels_0__SubReasonModels_0__Activities">Please select activity</label>
</div>
<div style="width: 665px;">
<div> </div>
<div> div>
<table class="activitiesList">
<thead>
</thead>
<tbody>
;/tbody>
</table>
</div>
</div>
</div>
As you could see above, we are passing the HTML/Script as a result.
Do you know how I can avoid the XSS flaw in the above scenario?