XSS flaw detected by veracode static code scan
XSS flaw detected by veracode static code scan
bsCotiviti
Posts: 2Questions: 1Answers: 0
in FixedColumns
I am using jquery datatable version 1.10.22 with dataTables.fixedColumns version 3.3.2. Veracode scan showed there are multiple XSS flaws in the dataTables.fixedColumns.js (line no: 1255, 1278, 1281, 1290). Can someone confirm if this flaw has been resolved or going to be resolved in latest release or this shouldn't be any concern?
As part of XSS prevention I have implemented X-XSS-Protection header but js file still showing the flaw.
Answers
Could you update to FixedColumns v4 please? It has been basically completely rewritten and the issues the lines that are pointed to there are no longer used.
Thanks,
Allan
Hello allan,
I am also getting same flaw in buttons.html5.js (line no: 473). The file in my project is downloaded along with datatables.buttons (version 1.6.4) and it seems it is identical with https://cdn.datatables.net/buttons/2.1.0/js/buttons.html5.js with few changes.
Could you recommend me what should I do with this extension? And also for upgrading the extensions do I need to upgrade the base datatable js as well?
That's odd that you're getting the error, as that's an old version of buttons and a problem hasn't been reported before. As Allan said, it would be worth updating, and yep, it would be best to update all the components. The easiest way to do that would be to use the download page, where are the dependencies and latest versions are considered.
Colin
I have upgraded https://cdn.datatables.net/buttons/2.2.2/js/buttons.html5.js version. But still showing same flaw which was described above by bsCotiviti. Could you suggest any other solutions for that.
@rajee We're happy to take a look, but as per the forum rules, please link to a test case - a test case that replicates the issue will ensure you'll get a quick and accurate response. Information on how to create a test case (if you aren't able to link to the page you are working on) is available here.
Cheers,
Colin
Hi @colin I'm happy for your quick response. Basically, when my application was scan by veracode, its shows the " Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" from buttons.html5.js. I used the latest version of datatable button _https://cdn.datatables.net/buttons/2.2.2/js/buttons.html5.js_. The Improper Neutralization of Script-Related HTML Tags in a Web Page shows on line number 473. Its shows the same veracode flow from datatable fixed column but when I upgraded to latest version 4.0.2, the flaw has been removed. But same nature of flaw was not removed from datatable buttons. So could you please suggest what will be the solution for that.
Thanks,
Rajee
That line (
tempNode.appendChild( value );
)) is used in our Excel export - it isn't actually used to display anything on the web page.For the error message, I presume the issue is that it is concerned about a
<script>
tag being inserted into the document. But the code path to there can't do that and as I say, it wouldn't be rendered onto the page even if it was.Allan