DOM XSS issue with ajax return value in jquery

Question

I am facing DOM XSS issue with below code where on ajax success I am getting data as a return value which I am passing to one of my div and this code is creating DOM XSS.

Can anyone please help me to resolve this issue. Return values is coming as HTML data and which I need to assign to DIV.

$.ajax({
    url: 'API/MyDemoURL',
    type: 'POST',
    data: { id: 1},
    cache: false,
    success: function (data) {
        $("#div1").html(data);
    }
});

I was trying with Escape HTML or encode HTML but it replace tags with code and which assign it to div and it print this as string.

Data Coming from server side:-

"<table><tr><td>hello World!!</td></tr></table>"

It is C# and it is returning partial view (HTML code) as "data" on ajax success. — Jinesh Jain, Apr 27 '17 at 09:50
@AtaurRahmanMunna updated my question with what result is coming from server side. — Jinesh Jain, Apr 27 '17 at 09:58
This may help you: http://stackoverflow.com/questions/7024419/how-to-prevent-xss-cross-site-scripting-whilst-allowing-html-input — Jacky Shek, Apr 28 '17 at 04:17
Possible duplicate of [How to prevent XSS (Cross Site Scripting) whilst allowing HTML input](http://stackoverflow.com/questions/7024419/how-to-prevent-xss-cross-site-scripting-whilst-allowing-html-input) — Jacky Shek, May 02 '17 at 02:20

Erwan Legrand · Answer 1 · 2018-06-29T15:08:02.283

2

The HTML is generated by your C# code on the server side. Therefore, in order to fix your XSS vulnerability you must properly encode data in your C# code while generating the HTML. The bug lies within your C# code, not your JS code.

edited Jun 29 '18 at 15:08

answered Apr 27 '18 at 08:30

Erwan Legrand

4,148
26
26

DOM XSS issue with ajax return value in jquery

1 Answers1