search

Home  >  Q&A  >  body text

How to fix checkmarx error "...untrusted data was embedded directly in the output..."

In a front-end application using jQuery, I have an oversimplified code like this (including line numbers):

...
129: var buttonId = $('some-element').closest('...').siblings('...').attr('id');
130: $('#' + buttonId).focus();
...

In checkmarx I get this error:

The application's {method_name} uses $ at {file_name} line 130 to embed untrusted data into the generated output. This untrusted data is embedded directly into the output without proper sanitization or encoding, allowing attackers to inject malicious code into the output.

So - what should I do here? ...since the ID attribute is just an ID, you know...so I don't know what sanitization or encoding should be performed on it.

P粉330232096P粉330232096284 days ago331

reply all(1)I'll reply

  • P粉258083432

    P粉2580834322024-02-22 09:19:53

    I just encountered a similar problem.

    Try to replace:

    $('#' + buttonId).focus();
    

    and:

    jQuery('#' + buttonId).focus();
    

    Somehow, for this case, the scanner doesn't know that the variable $ is the same as the jQuery variable.

    Try it;o)

    reply
    0
  • Cancelreply