Closed jportilloa closed 1 week ago
I guess those snippets could be replaced with this.element.querySelector(... but I will check and let you know.
Hello, thank you for responding. Yes, I tried with this.element.querySelector(...); it no longer detects the vulnerability, but the get_node function doesn't work properly anymore.
I will only be doing critical fixes in v.3 from now on. While this report sounds troublesome I struggle to find and actual exploit for this. If an actual exploit is possible I will fix this ASAP.
In Checkmarx, this vulnerability is flagged as follows: "The method function embeds untrusted data in generated output with jQuery, at line 962 of jstree. This untrusted data is embedded into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page." This vulnerability arises from the following code:
And also this:
These snippets reference the following code:
$('#' + obj.replace($.jstree.idregex,'\\$&'), this.element)
And this:
$('#' + obj.id.replace($.jstree.idregex,'\\$&'), this.element)