Conversation
![jit-ci[bot]](https://avatars.githubusercontent.com/in/142441?s=60&v=4){kind=small}
|
|
||
| // This is an unsafe practice and can lead to XSS vulnerabilities | ||
| const userInput = document.getElementById('userInput').value; | ||
| document.getElementById('content').innerHTML = userInput; |
There was a problem hiding this comment.
Security control: Static Code Analysis Js
Type: Javascript.Browser.Security.Insecure-Document-Method.Insecure-Document-Method
Description: User controlled data in methods like innerHTML, outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
This remediation replaces the usage of insecure methods like 'innerHTML', 'outerHTML' or 'document.write' with a safer alternative, 'textContent'. The code will now use 'textContent' to safely set or update the content without putting your application at risk of XSS attacks.
| document.getElementById('content').innerHTML = userInput; | |
| document.getElementById('content').textContent = userInput; |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "javascript.browser.security.insecure-document-method.insecure-document-method" in test.js#jit_undo_ignoreUndo ignore command
1 participant
Thank you for submitting a pull request to the WebGoat!