'How to fix XSS vulnerability to JavaScript
I did a vulnerability analysis on the Veracode Platform and found an XSS vulnerability: This is the code that has the vulnerability, I'm trying fix, but I need your help:
<po-widget>
<div class="po-row">
<div class="treeview-container po-md-12">
<kendo-treeview
class="po-md-12 po-mt-1 po-mb-1"
kendoTreeViewDragAndDrop
kendoTreeViewDragAndDropEditing
kendoTreeViewExpandable
[expand by]="'id'"
[(expandedKeys)]="expandedKeys"
kendoTreeViewHierarchyBinding
[childrenCampo]="'children'"
[(nodes)]="treeviewItems"
[textField]="'name'"
kendoTreeViewSelectable
[(selectedKeys)]="selectedKeys"
(nodeDrop)="handleDrop($event)"
(removeItem)="handleRemovedNode()"
(selectionChange)="handleSelection($event)" // <==== XSS vulnerability here
[selectBy]="'id'"
[isSelected]="isItemSelected"
>
The line (selectionChange)= "handleSelection($event)" is vulnerable by the Platform.
My suggestion to fix the vulnerability is:
(selectionChange)= XSSfix("handleSelection($event)")
function XSSfix(inputXSS){
return inputXSS.replace(/\&/g, '&').replace(/\</g, '<').replace(/\>/g, '>');
}
What do you think? Is this solution correct? It's work to fix vulnerability?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|