You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our infosec area ran Checkmarx against an application using QueryBuilder which reported two potential XSS, as shown below.
I am not sure those are real problems. Could they be false positives?
Client Potential XSS\Path 1:
The application's function embeds untrusted data in the generated output with html, at line 1452 of js/query-builder.standalone.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
The application's function embeds untrusted data in the generated output with append, at line 1178 of js/query-builder.standalone.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
Our infosec area ran Checkmarx against an application using QueryBuilder which reported two potential XSS, as shown below.
I am not sure those are real problems. Could they be false positives?
Client Potential XSS\Path 1:
The application's function embeds untrusted data in the generated output with html, at line 1452 of js/query-builder.standalone.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
Source
File: js/query-builder.standalone.js
Line: 3152
Object: change
Destination
File: js/query-builder.standalone.js
Line: 1464
Object: html
Code snippet
Method: QueryBuilder.prototype.getRuleFilterSelect = function(rule, filters) {
Method: QueryBuilder.prototype.createRuleFilters = function(rule) {
Client Potential XSS\Path 2:
The application's function embeds untrusted data in the generated output with append, at line 1178 of js/query-builder.standalone.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
Source
File: js/query-builder.standalone.js
Line: 3096
Object: change
Destination
File: js/query-builder.standalone.js
Line: 1184
Object: append
Code snippet
Method: QueryBuilder.prototype.getGroupTemplate = function(group_id, level) {
Method: QueryBuilder.prototype.setRoot = function(addRule, data, flags) {
The text was updated successfully, but these errors were encountered: