简体中文(ZH-CN)English(EN)繁体中文(ZH-TW)日本語(JA)한국어(KO)Melayu(MS)Français(FR)Deutsch(DE)
Home
Article
Q&A
Course
Topic
Download
Game
Dictionary
Recent Updates

Home  >  Q&A  >  body text

How to fix checkmarx error "...untrusted data was embedded directly in the output..."

In a front-end application using jQuery, I have an oversimplified code like this (including line numbers): 

...
129: var buttonId = $('some-element').closest('...').siblings('...').attr('id');
130: $('#' + buttonId).focus();
...

In checkmarx I get this error:

The application's {method_name} uses $ at {file_name} line 130 to embed untrusted data into the generated output. This untrusted data is embedded directly into the output without proper sanitization or encoding, allowing attackers to inject malicious code into the output.

So - what should I do here? ...since the ID attribute is just an ID, you know...so I don't know what sanitization or encoding should be performed on it.

P粉330232096P粉330232096241 days ago299

reply all(1)I'll reply

  • P粉258083432

    P粉2580834322024-02-22 09:19:53

    I just encountered a similar problem.

    Try to replace: 

    $('#' + buttonId).focus();

    and:

    jQuery('#' + buttonId).focus();

    Somehow, for this case, the scanner doesn't know that the variable $ is the same as the jQuery variable.

    Try it;o)

    reply
    0
  • Cancelreply