Checkmarx Reflected XSS

Question

I have a Django based API. After scanning my application with CheckMarx if showed that I have Reflected XSS volnurability here:

user_input_data = json.loads(request.GET.get('user_input_data'))

What I already tried:

Used django.utils.html.escpae
Used django.utils.html.strip_tags
Used html.escape
Used escapejson package

Every time I run scanning, it finds stored XSS at exactly this location

score 2 · Accepted Answer · answered Sep 18 '21 at 00:26

What you have tried are correct and acceptable but Checkmarx's support to Django is somewhat limited which is why its not recognizing any of the functions you used. You need to argue with your security team about this and have them recognize that this is one of the proper ways of preventing XSS.

A rudimentary way of sanitizing input by using the replace function and replacing the '<' and '>' characters. Not a robust way, but that is what Checkmarx recognizes

def escape(s, quote=None):
    '''Replace special characters "&", "<" and ">" to HTML-safe sequences.
    If the optional flag quote is true, the quotation mark character (")
is also translated.'''
    s = s.replace("&", "&amp;") # Must be done first!
    s = s.replace("<", "&lt;")
    s = s.replace(">", "&gt;")
    if quote:
        s = s.replace('"', "&quot;")
    return s

credit from this code snippet post

Checkmarx Reflected XSS

1 Answers1