How do I mitigste these Client Potential XSS vulnerabilities

dsjamison

I ran a scan with Checkmarx on datatables 1.10.5, and it found 4 Client Potential XSS vulnerabilities. Example: Method function at line 512 of datatables-1.10.15/DataTables/dataTables.buttons.js gets user input for the text
element. This element’s value then flows through the code without being properly sanitized or validated and is
eventually displayed to the user in method function at line 512 of datatables-
1.10.15/DataTables/dataTables.buttons.js. This may enable a Cross-Site-Scripting attack.

Line 574.

.html( text( config.text ) )

How to I mitigate these vulnerabilities?

Thanks,

Dave Jamison

awelch

This isn't really an attack vector unless you make it so in your implementation. config.text is typically set by a developer at design-time when configuring a DataTable with Buttons. This could only be an attack vector if you let users customize the text on buttons on public facing web pages and don't sanitize their customized text when you store it. In most any situation if you are storing data submitted by users that will be displayed to other users, sanitize it as it goes into your DB, if you're not storing data from users or you're not displaying that data to other users then you have nothing to worry about. A user could always use this vector to attack themselves, but that's their prerogative and not your problem.