Intersoft Solutions - Community - WebCombo

Community / WebCombo

Latest Development Blogs

Retrieving News

ForumPostTopic

WebGrid Enterprise

2138

8348

WebCombo

357

1383

WebDesktop

430

1620

WebTreeView

263

WebScheduler

253

944

WebTextEditor

118

423

357

134

114

567

1861

Lounge

305

768

Crosslight

366

1443

Browse By Tag

Webcombo Security issue

0 reply. Posted: November 23, 2023 12:11 PM by Giridhar JG

Tags :

Security issue

Create New

New Discussion
New Question
New Product Feedback

Post Reply

Giridhar JGMember

Posted: November 23, 2023 12:11 PM

Hi,

I am using Intersoft webcombo in my ASP.Net Web application.

I am checking the application security using the tool semgrep for SAST (Static Application Security Testing).

While testing I face the below errors. The JavaScript generated by the webcombo is causing the issue .

Please help me to solve these issues.

Files in which error occured:

· CoreValidator.js
· Core_DragDrop.js
· ISCore.js
· WebUIValidation.js
· WebCombo.js

Error Message 1:

javascript.browser.security.insecure-document-method.insecure-document-method User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities

... e.innerHTML=v;WC40Engine.InvalidateResultBox(f);return v},WriteCOLs:function(f,d){var e="";if(f.LayoutSettings.ComboMode=="MultipleColumns"){var a= ...

... b.innerHTML="<nobr>"+l.Text+"</nobr>"}}else{var h=p.Columns;for(var k=0;k<h.length;k++){var f=h[k];if(f.Hidden&&!f.RenderOnHidden){continue}var q=f ...

Error Message 2:

javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp RegExp() called with a `e` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.

…RegExp(c.Pattern,"img");g=c.NewValue.match(re);if(g==null){c.NewValue=c.NewValue.replace(new RegExp("\\s+","g"),"");g=c.NewValue.match(re)}if(g== ...

Error Message 3:

javascript.browser.security.eval-detected.eval-detected Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.

al(this.getAttribute(name))}}}},_EmulateSelectionModel:function(){Object.defineProperty(HTMLDocument.prototype,"selection",{get:function(){return w ...

Error Message 4:

javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization `h.replace` method will only replace the first occurrence when used with a string argument ("$"). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.

replace("$","\\s*\\"+i+"\\s*")}else{if(j=="percent"){h=h.replace(i,"\\s*\\"+i+"\\s*")}}h="(?:^"+h.replace(new RegExp("\\s*","g"),"")+"$)";return h} ...

With Regards,

Giridhar JG