javascript - Fortify : DOM based cross site scripting -

-

i have fortify vulnerability cross site scripting : dom.

in application(asp.net) dynamically constructing html , assign div tag complaining issue.

str += '<div id="' + itemid + '"';  if(somecondition==true){    str += 'class="' + somevalue + '"';      }  if (somevalue == 0) {                str += ' style="position: relative; ';    str += 'top:0; ' ;    str += 'visibility: inherit; '    }else{    str += ' style="position: absolute; ';    str += 'top: ' +  itemy + '; ' ;    str += 'width: ' + w + '; ';    str += 'height: ' + h + '; '    str += 'visibility: inherit; '

....

......

after constructing html, assigning div tag below.

  var newdiv = document.createelement('div');    document.getelementsbytagname('body').item(0).appendchild(newdiv);    newdiv.innerhtml = str;

while assigning str newdiv fortify showing cross site scripting : dom issue.

to fix issue tried using html encoder didnt work. please share inputs resolve issue.

simply html encoding data not sufficient. make sure unsafe data encoded context in appears within document. see following articles, discuss various contexts , importance of context-sensitive encoding:

  1. http://security.coverity.com/document/2013/mar/fixing-xss-a-practical-guide-for-developers.html
  2. https://www.owasp.org/index.php/dom_based_xss_prevention_cheat_sheet

Comments

Post a Comment

Popular posts from this blog

Hatching array of circles in AutoCAD using c# -

-
i beginner in autocad plugins .i have created array of circle using following code. now, have hatch circles in array .how that??how hatch circles @ once? moreover, how can return hatch method , use hatch objects.sorry language.thanks in advance. [assembly: commandclass(typeof(beamsection.class1))] namespace beamsection { public class class1 { //class1 obj = new class1(); [commandmethod("beamatsupport")] public void addlightweightpolyline() { // current document , database document acdoc = application.documentmanager.mdiactivedocument; database accurdb = acdoc.database; promptpointresult ppr = acdoc.editor.getpoint("\nselect starting point "); var ucs = acdoc.editor.currentusercoordinatesystem; point3d startingpt = ppr.value.transformby(ucs); list<double> radius = new list<double>(); radius.add(0.5); ...
Read more

ios - UITEXTFIELD InputView Uipicker not working in swift -

-
hello trying pop uipickerview view programmatically when user clicks on textfield. have tried doesn't doing anything. isn't working. nothing happening when click textfield class userprofiletableviewcontroller: uitableviewcontroller,uitextfielddelegate,uipickerviewdelegate,uipickerviewdatasource { var itempicker: uipickerview! = uipickerview() @iboutlet weak var gendertxtfield: uitextfield! var gender = ["male","female"] override func viewdidload() { super.viewdidload() gendertxtfield.delegate = self itempicker!.delegate = self itempicker!.datasource = self itempicker!.backgroundcolor = uicolor.blackcolor() self.gendertxtfield.inputview = itempicker } func numberofcomponentsinpickerview(pickerview: uipickerview) -> int{ return 1 } // returns # of rows in each component.. func pickerview(pickerview: uipickerview, numberofrowsincomponent component:...
Read more