From what I've been able to find online, I think Checkmarx is flagging because the code is appending HTML content directly to the DOM using .append() which may include user-controlled input. To fix this I used jQuery.text() to safely set the content of the element and createTextNode() to safely add the value as text to ensure that k and v will not be parsed as HTML but instead as plain text.
I was expecting these changes to resolve the issue; however, these changes did not resolve the issue for Checkmarx. I'm not really familiar with JS and jQuery so any help is appreciated.
Original Code:
$.each(response, function(k, v) {
$("#ulId").append("<li class='list-group-item ng-binding ng-scope'><strong class='ng-binding'>"+k+": </strong>"+v+"</li>");
});
Changes:
$.each(response, function(k, v) {
var li = $("<li></li>").addClass('list-group-item ng-binding ng-scope');
var strong = $("<strong></strong>").addClass('ng-binding').text(k + ": ");
li.append(strong);
li.append(document.createTextNode(v));
$("#ulId").append(li)
});