I wrote the below line of code in my js file
var radio =
DOMPurify.sanitize($($.parseHTML(decodeURIComponent(encodeURIComponent($
(this).attr('name'))))).text());
and the checkmarx scan throws the below error at the above line
"The application embeds untrusted data in the generated output with $, at the above line of com.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output."
Can someone please tell me what I am doing wrong and what I need to do in order to fix this vulnerability issue? Thanks in advance
I have implemented DOMPurify.sanitize
I see two conflicting issues in your code.
You're encoding (this).attr('name') and then decoding it back (why?)
You don't need to use parseHtml since (this).attr('name') is already a
DOM object
You can simply write it as:
var radio = DOMPurify.sanitize(($(this).attr('name')).text());
Related
My eCommerce website needs to run JavaScript code so a 3rd party can send the customer a gift. The JavaScript code worked on the Thank You page, but I need to have a few-day delay before the script runs, so I'm trying to do this with Zapier instead. But Zapier is giving the following error when the same code is used there:
The run javascript could not be sent to Code by Zapier. SyntaxError: Unexpected token <
Zapier Support could not help, and I couldn't find the solution in Zapier's documentation.
Can someone please help modify the short code below, so that it can be run by Zapier?
<script src="https://members.thirdparty.com/jsapi/fbDE_Voucher.min.js"></script>
<script>
window.onload = function(){
var fdDE_detail = {
"fbDE_sender":'12345-67890',
"fbDE_fullname":"'"+inputData.CustName+"'",
"fbDE_email":"'"+inputData.CustEmail+"'",
"fbDE_amount":inputData.VoucherValue,
"fbDE_business":54321,
"fbDE_message":'Thank you for your purchase!'
}
fbDEVoucher(fdDE_detail);
}
</script>
The variables CustName, CustEmail, and VoucherValue are from prior Zapier steps. The first 2 need to be within single quotes, and the third is an integer (not requiring quotes). Please see image below:
JavaScript code for Zapier
Does anyone know how to fix the above error (in bold) so this code runs?
Appreciate your help! Thanks.
Zapier's code runs in Node.js, which is a different environment than the browser-based JS your code was running in before.
First off, <script> tags aren't available, since that's HTML. Whatever code comes in through fbDE_Voucher.min.js will need to be loaded separately. If it's not too long, you can paste it into the code window (but there's a better solution, see below).
There's also no window global, but you don't need it anyway. So to get this close to working, it would be something like:
// doesn't work, fbDEVoucher is undefined
fbDEVoucher({
fbDE_sender: "12345-67890",
fbDE_fullname: inputData.CustName, // doesn't need to be re-wrapped in a string
fbDE_email: inputData.CustEmail,
fbDE_amount: inputData.VoucherValue,
fbDE_business: 54321,
fbDE_message: "Thank you for your purchase!",
});
That's all you would need, assuming your function is already defined.
The best option for you here is to create a custom Zapier integration. This gives you a more full-featured JS environment than a Code by Zapier step, plus dramatically more control. You can include the aforementioned file and call the function as needed. There's docs about that here: https://platform.zapier.com/
I have a program that logs every GET/POST request made by a website during the page load process. I want to go through these requests one by one, execute them, and then determine if the file that was returned is a Javascript. Given that it won't have a .js ending (because of scripts like this, yanked from google.com a minute ago), how can I parse the file gotten from the request and identify if it is a Javascript file?
Thanks!
EDIT:
It is better to get a false positive than a false negative. That is, I would rather have some non-JS included in the JS-list than cut some real JS from the list.
The javascript link that you referred does not have a content type, nor does it have the js extension.
Any text file can be considered javascript if it can get executed which can make detection from scratch very difficult. There are two methods that come to mind.
Run a linter on the file contents. If the error is a syntax error or a Parsing error, it is not javascript. If there are no syntax error or parsing error, it should be considered javascript
Parse the AST (Abstract syntax tree) for the file contents. A javascript file would parse without errors. There should be a number of AST libraries available. I haven't worked with JS AST, so can't recommend any one of them but a quick search should give you some options.
I am not sure but probably a linter would also run AST before doing syntax checks. In this case, running AST seems like a lighter option.
The easiest way would be to check if there was anything identifying javascript files by their URI, because the alternatives are a lot heavier. But since you said this isn't an option, you can always check the syntax of the contents of each file using some heuristic tool. You can also check the response headers for its content-type.
In our dev shop, we use client-side templates and include no HTML tags in our JavaScript code.
In our continuous integration process, we run JSHint automatically after every commit (post-build action in Jenkins) to verify compliance with our coding style guidelines.
I'd like to configure JSHint so it throws a warning when it finds an HTML tag in a .js file.
How can I accomplish this? I've searched, but I can find no examples of HTML tag warnings nor custom rules for JSHint.
Edit:
Just to be clear, I'm trying to catch code like this:
var newDiv = "<div>Hello World!</div>";
$("body").append(newDiv);
If I could get JSHint to produce a warning for the first line in the example above, that'd be fantastic.
Second Edit:
If there's post-build plugin for Jenkins that could throw a validation error if HTML is found in a .js file, then that'd also be a great alternative solution.
The Answer
No, jSHint does not support disallowing arbitrary string contents or HTML tags inside of strings. It also does not support custom rules, for now, though the author has discussed adding a public api in the future.
My speculation (as I am not an insider) on WHY
The solution you're proposing (disallowing any HTML tags in any scenario) would disallow a wide variety of highly valid use cases, regardless of how you feel about creating HTML in js. I understand that it is what your team wants to do, but such a blunt force rule is not going to have the general applicability of the rest of jsHints rules. Their focus is on enforcing style rules. Since you're disallowing all HTML tags in strings this is really more of a content validation than a style one. It would eliminate the following content examples, which are irrelevant to DOM injection/separation of concerns.
For instance:
var example="I'm writing a report on <div> tags and css";
or
var htmlStrippedText = text.replace("<div>","");
My Advice
Of course lack of broad applicability is not a reason for YOU not to do this. If you really want to filter content like this, use a command line script to search with a regex. Since you only want to see if there is HTML, not whether its valid, you can just search for stuff in the form <[div|span|body|html... as well as document.createElementand it should be fine (although you might have to be more creative if you want to allow it inside of comments). Just don't use nodejs to run your script with JS or it will fail to validate itself. :)
Of course none of this will stop a determined developer:
var topSecretDOMObject,topSecretFunction,topSecretArgument;
topSecretFunction = "create"+"Element";
topSecretArgument = "d" + "i" + "v";
topSecretDOMObject = document[topSecretFunction](topSecretArgument);
I'm trying to make simple templating for users on a site. I have a test line like this :
<div id="test">Test</div>
It will alert the HTML properly with the following JS in all browsers except FF:
alert( document.getElementById( 'test' ).innerHTML );
In FF it will change the curly braces to their HTML encoded version. I don't want to just URL decode in case the user enters HTML with an actual URL instead of one of the templated ones. Any ideas to solve this outside of REGEXing the return value?
My fiddle is here: http://jsfiddle.net/davestein/ppWkT/
EDIT
Since it's seemingly impossible to avoid the difference in FF, and we're still early in development, we are just going to switch to using [] instead of {}. Marking #Quentin as the correct answer since it's what I'm going by,
When you get the innerHTML of something, you get a serialised representation of the DOM which will include any error recovery or replacing constructs with equivalents that the browser does.
There is no way to get the original source from the DOM.
If your code won't contain %xx elsewhere, you can just run it through unescape().
I've built an iPhone app that's working great so far. I've had some great help here optimising the code, but wondered if I could please obtain some help to display an error msg when the following conditions are met.
When the xml file is unavailable
When one of the xml data fields is missing (eg. brisbane is currently not listed in the xml for function 1, but should be - http://www.arpansa.gov.au/uvindex/realtime/xml/uvvalues.xml)
My current code: http://pastebin.com/VgBmdXjd
At the moment I've got the error msg working when the xml data field is empty (not missing), which should be apparent in the code. Please let me know if it isn't.
Also, both functions are setup a little differently, which might affect the way the condition is formatted. If anyone is able to explain the differences, that would be great too.
Any help is sincerely appreciated.
Kind Regards,
Glen
You need to set up the ajax error event handler in jQuery. Good Example