0

I'm using a free template as a front end in my application and the main javascript file came out as a high risk as it's vulnerable to a dom based cross site scripting.Is there a way to sanitize the javascript function inside a javascript file? I searched and i found a .net library "System.Web.Security.AntiXss" that works on the server side but what should i use in this js file? the js file:

// Activate smooth scroll on page load with hash links in the url
  $(document).ready(function() {
    if (window.location.hash) {
      var initial_nav = window.location.hash;
      if ($(initial_nav).length) {
        var scrollto = $(initial_nav).offset().top - scrolltoOffset;
        $('html, body').animate({
          scrollTop: scrollto
        }, 1500, 'easeInOutExpo');
      }
    }
  });
// Toggle .header-scrolled class to #header when page is scrolled
  $(window).scroll(function() {
    if ($(this).scrollTop() > 100) {
      $('#header').addClass('header-scrolled');
    } else {
      $('#header').removeClass('header-scrolled');
    }
  });

  if ($(window).scrollTop() > 100) {
    $('#header').addClass('header-scrolled');
  }

  // Back to top button
  $(window).scroll(function() {
    if ($(this).scrollTop() > 100) {
      $('.back-to-top').fadeIn('slow');
    } else {
      $('.back-to-top').fadeOut('slow');
    }
  });

  $('.back-to-top').click(function() {
    $('html, body').animate({
      scrollTop: 0
    }, 1500, 'easeInOutExpo');
    return false;
  });

  // jQuery counterUp
  $('[data-toggle="counter-up"]').counterUp({
    delay: 10,
    time: 1000
  });
 // Init AOS
  function aos_init() {
    AOS.init({
      duration: 1000,
      easing: "ease-in-out",
      once: true,
      mirror: false
    });
  }
  $(window).on('load', function() {
    aos_init();
  });

})(jQuery);

Thank you in advance.

Improve this question
4
  • Does this answer your question? Is XSS possible with jQuery(location.hash)? Commented Nov 16, 2020 at 14:38
  • In case it's not clear why I've marked that as a duplicate, it is because the part that your scanner has flagged as vulnerable is at the top where you take location.hash and pass it off to $() - which is exactly the same as jQuery(location.hash). Worst comes to worst you could always just remove this - it's job is to scroll nicely to a div, but the browser will always do that by default, just without a transition. Commented Nov 16, 2020 at 14:41
  • I removed it from the js file . I can't find a way around it but thank you though for explaining the source of the vulnerability here.💞 Commented Nov 18, 2020 at 8:16
  • Probably a simple but safe work around would be to rely a bit more on native JavaScript instead of jQuery. You won't have the same issues with, for instance, document.getElementById(). You can even convert that to a jQuery element (I think), so something like this $(document.getElementById(initial_nav)).length, etc... Commented Nov 18, 2020 at 10:29

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.