How to fix checkmarx error "...untrusted data was embedded directly in the output..."

Question

In a front-end application using jQuery, I have an oversimplified code like this (including line numbers):

...
129: var buttonId = $('some-element').closest('...').siblings('...').attr('id');
130: $('#' + buttonId).focus();
...

In checkmarx I get this error:

The application's {method_name} uses $ at {file_name} line 130 to embed untrusted data into the generated output. This untrusted data is embedded directly into the output without proper sanitization or encoding, allowing attackers to inject malicious code into the output.

So - what should I do here? ...since the ID attribute is just an ID, you know...so I don't know what sanitization or encoding should be performed on it.

Answer 1

I just encountered a similar problem.

Try to replace:

$('#' + buttonId).focus();

and:

jQuery('#' + buttonId).focus();

Somehow, for this case, the scanner doesn't know that the variable $ is the same as the jQuery variable.

Try it;o)