DOM Purify fix still pops up as vulnerability in Fortify XSS Scans

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

https://cure53.de/purify

Other

13.68k stars 701 forks source link

DOM Purify fix still pops up as vulnerability in Fortify XSS Scans #799

Closed sajanyamaha closed 1 year ago

sajanyamaha commented 1 year ago

Am I doing anything wrong here , trying to fix a XSS vulnerability which popped up in Fortify scans ,

Before , $(window.opener.document).find(tableId + ' .PROMO_NM').val('Y');

After , $(window.opener.document).find(tableId + ' .PROMO_NM').val(DOMPurify.sanitize('Y'));

On rescan the vulnerability stays !

cure53 commented 1 year ago

I would assume that the issue might be the tableId on find()- but this or the other way that strikes me as a false alert in Fortify. Not our bug :)