XSS flaw detected by veracode static code scan

XSS flaw detected by veracode static code scan

bsCotivitibsCotiviti Posts: 2Questions: 1Answers: 0

I am using jquery datatable version 1.10.22 with dataTables.fixedColumns version 3.3.2. Veracode scan showed there are multiple XSS flaws in the dataTables.fixedColumns.js (line no: 1255, 1278, 1281, 1290). Can someone confirm if this flaw has been resolved or going to be resolved in latest release or this shouldn't be any concern?

As part of XSS prevention I have implemented X-XSS-Protection header but js file still showing the flaw.

Answers

  • allanallan Posts: 63,602Questions: 1Answers: 10,486 Site admin

    Could you update to FixedColumns v4 please? It has been basically completely rewritten and the issues the lines that are pointed to there are no longer used.

    Thanks,
    Allan

  • bsCotivitibsCotiviti Posts: 2Questions: 1Answers: 0

    Hello allan,

    I am also getting same flaw in buttons.html5.js (line no: 473). The file in my project is downloaded along with datatables.buttons (version 1.6.4) and it seems it is identical with https://cdn.datatables.net/buttons/2.1.0/js/buttons.html5.js with few changes.

    Could you recommend me what should I do with this extension? And also for upgrading the extensions do I need to upgrade the base datatable js as well?

  • colincolin Posts: 15,240Questions: 1Answers: 2,599

    That's odd that you're getting the error, as that's an old version of buttons and a problem hasn't been reported before. As Allan said, it would be worth updating, and yep, it would be best to update all the components. The easiest way to do that would be to use the download page, where are the dependencies and latest versions are considered.

    Colin

  • rajeerajee Posts: 2Questions: 0Answers: 0

    I have upgraded https://cdn.datatables.net/buttons/2.2.2/js/buttons.html5.js version. But still showing same flaw which was described above by bsCotiviti. Could you suggest any other solutions for that.

  • colincolin Posts: 15,240Questions: 1Answers: 2,599

    @rajee We're happy to take a look, but as per the forum rules, please link to a test case - a test case that replicates the issue will ensure you'll get a quick and accurate response. Information on how to create a test case (if you aren't able to link to the page you are working on) is available here.

    Cheers,

    Colin

  • rajeerajee Posts: 2Questions: 0Answers: 0

    Hi @colin I'm happy for your quick response. Basically, when my application was scan by veracode, its shows the " Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" from buttons.html5.js. I used the latest version of datatable button _https://cdn.datatables.net/buttons/2.2.2/js/buttons.html5.js_. The Improper Neutralization of Script-Related HTML Tags in a Web Page shows on line number 473. Its shows the same veracode flow from datatable fixed column but when I upgraded to latest version 4.0.2, the flaw has been removed. But same nature of flaw was not removed from datatable buttons. So could you please suggest what will be the solution for that.

    Thanks,
    Rajee

  • allanallan Posts: 63,602Questions: 1Answers: 10,486 Site admin

    That line (tempNode.appendChild( value );)) is used in our Excel export - it isn't actually used to display anything on the web page.

    For the error message, I presume the issue is that it is concerned about a <script> tag being inserted into the document. But the code path to there can't do that and as I say, it wouldn't be rendered onto the page even if it was.

    Allan

Sign In or Register to comment.