Hey Guys,
We do often scan our web pages by using VeraCode, lately we resolved few of the cross-site scripting (XSS) flaws identified.
In regards of 2x files coming out of Scripts/Infragistics package folder and being addressed we are searching for suggestions or advise..
/.../js/infragistics.lob.js 834.../modules/infragistics.ui.upload.js 26
It would be helpful to know how to address these issues.
Thank You
Martin
Hello Martin,
Thank you for posting in our community.
Since VeraCode is a paid tool I am not able to scan the mentioned files. Can you please provide me with the log of the identified flaws, This is going to be very helpful in order to decide how we should proceed further.
Additionally, can you please let me know whether you are using the igUpload component in your application?
Looking forward to hearing from you.
Hello Vasya,
I see that I'm not using igUpload component. I could technically exclude infragistics.ui.upload.js 26 it appears in
JS files within VeraCode_Publish.zip, which is the website_publish package generated by Visual Studio.
Same applies to js/infragistics.lob.js file.
Below are the notes from VeraCode:
DescriptionThis call contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input,allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of thevictim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation ofcontent, and compromise confidential information, with new attack vectors being discovered on a regular basis.
RecommendationsUse contextual escaping on all untrusted data before using it to construct any portion of an HTTP response. Theescaping method should be chosen based on the specific use case of the untrusted data, otherwise it may not protectfully against the attack. For example, if the data is being written to the body of an HTML page, use HTML entityescaping; if the data is being written to an attribute, use attribute escaping; etc. When a web framework provides builtinsupport for automatic XSS escaping, do not disable it. Both the OWASP Java Encoder library for Java and theMicrosoft AntiXSS library provide contextual escaping methods. For more details on contextual escaping, seehttps://www.owasp.org/index.php/XSS_%%28Cross_Site_Scripting%%29_Prevention_Cheat_Sheet. In addition, as abest practice, always validate untrusted input to ensure that it conforms to the expected format, using centralized datavalidation routines when possible.
Thank You for any suggestions,
Infragistics.lob.js is a file containing the minified scripts for all line of business controls, including igUpload. In case that you are not using the upload my suggestion is using our scrip combining tool to create a custom scripts bundle for your scenario without the igUpload. Script combiner is a tool that allows you to create a custom build with only these components and features required for your project, which will maximize the performance and minimize the download size. The custom build tool can be found here.
In order to create the bundle you will have to select all the components and features that you are using and download the custom build.
Please test this approach on your side and let me know whether it helps you resolve your issue with the Vera Code report.