{"id":8094,"date":"2021-08-03T14:31:41","date_gmt":"2021-08-03T19:31:41","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=8094"},"modified":"2021-08-03T14:31:41","modified_gmt":"2021-08-03T19:31:41","slug":"fortify-on-demand-remediation-cross-site-scripting-dom-js","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=8094","title":{"rendered":"Fortify on Demand Remediation &#8212; Cross-Site Scripting DOM (JS)"},"content":{"rendered":"<p>This vulnerability occurs when you accept user input or gather input from a AJAX call to another web site and then use that input in output. The solution is to <em>sanitize<\/em> the input, but Fortify on Demand seems to object strenuously to setting innerHTML &#8230; so filtering alone may not be sufficient depending on how you subsequently use the data.<\/p>\n<p>To sanitize a string in JavaScript, use a function like this:<\/p>\n<p><span style=\"color: #6a9955;\">\/**<\/span><br \/>\n<span style=\"color: #6a9955;\">\u00a0*\u00a0Sanitize\u00a0and\u00a0encode\u00a0all\u00a0HTML\u00a0in\u00a0a\u00a0string<\/span><br \/>\n<span style=\"color: #6a9955;\">\u00a0*\u00a0<\/span><span style=\"color: #569cd6;\">@param<\/span><span style=\"color: #6a9955;\">\u00a0\u00a0<\/span><span style=\"color: #4ec9b0;\">{string}<\/span><span style=\"color: #6a9955;\">\u00a0<\/span><span style=\"color: #9cdcfe;\">str<\/span><span style=\"color: #6a9955;\">\u00a0\u00a0The\u00a0input\u00a0string<\/span><br \/>\n<span style=\"color: #6a9955;\">\u00a0*\u00a0<\/span><span style=\"color: #569cd6;\">@return<\/span><span style=\"color: #6a9955;\">\u00a0<\/span><span style=\"color: #4ec9b0;\">{string}<\/span><span style=\"color: #6a9955;\">\u00a0&#8211;\u00a0\u00a0\u00a0\u00a0The\u00a0sanitized\u00a0string<\/span><br \/>\n<span style=\"color: #6a9955;\">\u00a0*\/<\/span><br \/>\n<span style=\"color: #d4d4d4;\">\u00a0<\/span><span style=\"color: #569cd6;\">var<\/span><span style=\"color: #d4d4d4;\">\u00a0<\/span><span style=\"color: #dcdcaa;\">sanitizeHTML<\/span><span style=\"color: #d4d4d4;\">\u00a0=\u00a0<\/span><span style=\"color: #569cd6;\">function<\/span><span style=\"color: #d4d4d4;\">\u00a0(<\/span><span style=\"color: #9cdcfe;\">str<\/span><span style=\"color: #d4d4d4;\">)\u00a0{<\/span><br \/>\n<span style=\"color: #d4d4d4;\">\u00a0\u00a0\u00a0\u00a0<\/span><span style=\"color: #c586c0;\">return<\/span><span style=\"color: #d4d4d4;\">\u00a0<\/span><span style=\"color: #9cdcfe;\">str<\/span><span style=\"color: #d4d4d4;\">.<\/span><span style=\"color: #dcdcaa;\">replace<\/span><span style=\"color: #d4d4d4;\">(<\/span><span style=\"color: #d16969;\">\/&amp;\/<\/span><span style=\"color: #569cd6;\">g<\/span><span style=\"color: #d4d4d4;\">,\u00a0<\/span><span style=\"color: #ce9178;\">&#8216;&amp;amp;&#8217;<\/span><span style=\"color: #d4d4d4;\">).<\/span><span style=\"color: #dcdcaa;\">replace<\/span><span style=\"color: #d4d4d4;\">(<\/span><span style=\"color: #d16969;\">\/&lt;\/<\/span><span style=\"color: #569cd6;\">g<\/span><span style=\"color: #d4d4d4;\">,\u00a0<\/span><span style=\"color: #ce9178;\">&#8216;&amp;lt;&#8217;<\/span><span style=\"color: #d4d4d4;\">).<\/span><span style=\"color: #dcdcaa;\">replace<\/span><span style=\"color: #d4d4d4;\">(<\/span><span style=\"color: #d16969;\">\/&gt;\/<\/span><span style=\"color: #569cd6;\">g<\/span><span style=\"color: #d4d4d4;\">,\u00a0<\/span><span style=\"color: #ce9178;\">&#8216;&amp;gt;&#8217;<\/span><span style=\"color: #d4d4d4;\">);<\/span><br \/>\n<span style=\"color: #d4d4d4;\">};<\/span><\/p>\n<p>This will replace ampersands and the &lt; and &gt; from potential HTML tags with the HTML-encoded equivalents. To avoid using innerHTML, you might need to get a little creative. In many cases, I have a span where the results are displayed. I color-code the results based on success\/failure &#8230; in that case, I an replace innerHTML with a combination of setting the css color style element to &#8216;green&#8217; or &#8216;red&#8217; then setting the innerText to my message string.<\/p>\n<p><a href=\"https:\/\/www.rushworth.us\/lisa\/?attachment_id=8095\" rel=\"attachment wp-att-8095\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-8095 size-full\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2021\/08\/StopUsingInnerHTML.png\" alt=\"\" width=\"1620\" height=\"189\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2021\/08\/StopUsingInnerHTML.png 1620w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2021\/08\/StopUsingInnerHTML-300x35.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2021\/08\/StopUsingInnerHTML-1024x119.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2021\/08\/StopUsingInnerHTML-768x90.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2021\/08\/StopUsingInnerHTML-1536x179.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2021\/08\/StopUsingInnerHTML-750x88.png 750w\" sizes=\"auto, (max-width: 1620px) 100vw, 1620px\" \/><\/a><\/p>\n<p>I can bold an entire element using a similar method. Changing <em>some<\/em> of the text, however &#8230; I haven&#8217;t come up with anything other than breaking the message into multiple HTML elements. E.g. a span for &#8220;msgStart&#8221;, one for &#8220;msgMiddle&#8221;, and one for &#8220;msgEnd&#8221;\u00a0\u2013 I can then bold &#8220;msgMiddle&#8221; and set innerText for all three elements.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This vulnerability occurs when you accept user input or gather input from a AJAX call to another web site and then use that input in output. The solution is to sanitize the input, but Fortify on Demand seems to object strenuously to setting innerHTML &#8230; so filtering alone may not be sufficient depending on how &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[45,1437,856,69,1329],"class_list":["post-8094","post","type-post","status-publish","format-standard","hentry","category-coding","tag-coding","tag-fortify-on-demand","tag-javascript","tag-security","tag-web-coding"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8094","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8094"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8094\/revisions"}],"predecessor-version":[{"id":8096,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8094\/revisions\/8096"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8094"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8094"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8094"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}