Reputation: 11228
Why does checkmarx mark this as a XSS vulnerability?
I have the following code in a HTML file -
<div class="dropdown" data-type="all">
Checkmarx has identified this statement as a potential XSS vulnerability. This is the first line in the HTML file (it's a template / partial that will be inserted into something else).
My question is - why is it marked as a potential XSS vulnerability? I did read the OWASP pages about it and understand that I need to escape the values assigned to the attributes but as you can see, the values for the attributes are just fine.
Upvotes: 0
Views: 1750
Answers (1)
Reputation: 141
If that is the first line in the file, then it may be that Checkmarx is not marking the right place in the code. Take a look at the result's source line number and destination line number (shown in the table on the bottom) that should point you to the place where the input is received, and where the value that is affected by the input, is printed.
PS, if you are using IE to view the scan results, try switching to Chrome or Firefox, maybe the result will render better on those browsers.
Upvotes: 1
Related Questions
- Why does checkmarx not passing XSS vulnerability after using DOMPurify?
- Why is CheckMarx flagging this code as an XSS vulnerability?
- How to fix Checkmarx vulnerability for Checkmarx scan 'reflected XSS all clients'?
- XSS vulnerability despite encoding
- checkmarx Client Potential XSS fix
- ASP.Net MVC App Stored XSS vulnerability reported by Checkmarx
- XSS vulnerability with Servletoutputstream.write when working with checkmarx