Preventing Client Potential Code Injection in Javascript

Question

I have created an application in java in gae and run it against checkmarx to check for security vulnerabilities and it is throwing error under the heading - Client Potential Code Injection. it shows error at the following line:

var email = $(this).text();

Below is that snippet from my code and I am not sure why it is still throwing the error when I am escaping email before using it:

$("#user-modal .user-list li").click(function() {
  $("#user-modal").hide();
  var email = $(this).text();
  var escapedEmail = escapeHtml(email);
  $("input#user").val(escapedEmail);
  loadAllData(email);
});

Here is what loadAllData method does using the passed email value:

function loadAllData(email) {
            $("#user-modal").modal('hide');
            userEmail = email;
            userParam = "";
            if (userEmail) {
                userParam = "?userEmail=" + userEmail;
            }
            requestGroups("");
            requestAdminRoles("");
            requestOrganizationalUnits("");

            // Search
            $("button.refresh-ou").bind("click", function(){
                var searchString = "/" + $("input.search-ou").val();
                requestOrganizationalUnits(searchString);
            });
            $("button.refresh-role").bind("click", function() {
                var searchString = "/" + $("input.search-role").val();
                requestAdminRoles(searchString);
            });
            $("button.refresh-group").bind("click", function() {
                var searchString = "/" + $("input.search-group").val();
                requestGroups(searchString);
            });
        }

Can anyone help?

Answer 1

From owasp.org > M7: Client Side Injection > How Do I Prevent ‘Client Side Injection’?:

How Do I Prevent ‘Client Side Injection’? In general, protecting your application from client side injection requires looking at all the areas your application can receive data from and applying some sort of input validation. In certain cases this is simple but for others it is more complex

Apparently, OP's example is more complex: the user input gets sent to a function which sets a global variable, so now the program must be examined globally.

iOS Specific Best Practices:

• SQLite Injection: When designing queries for SQLite be sure that user supplied data is being passed to a parameterized query. This can be spotted by looking for the format specifier used. In general, dangerous user supplied data will be inserted by a “%@” instead of a proper parameterized query specifier of “?”.
• JavaScript Injection (XSS, etc): Ensure that all UIWebView calls do not execute without proper input validation. Apply filters for dangerous JavaScript characters if possible, using a whitelist over blacklist character policy before rendering. If possible call mobile Safari instead of rending inside of UIWebkit which has access to your application.
• Local File Inclusion: Use input validation for NSFileManager calls.
• XML Injection: use libXML2 over NSXMLParser
• Format String Injection: Several Objective C methods are vulnerable to format string attacks:
  • NSLog, [NSString stringWithFormat:], [NSString initWithFormat:], [NSMutableString appendFormat:], [NSAlert informativeTextWithFormat:], [NSPredicate predicateWithFormat:], [NSException format:], NSRunAlertPanel.
  • Do not let sources outside of your control, such as user data and messages from other applications or web services, control any part of your format strings.
• Classic C Attacks: Objective C is a superset of C, avoid using old C functions vulnerable to injection such as: strcat, strcpy, strncat, strncpy, sprint, vsprintf, gets, etc.

Android Specific Best Practices:

• SQL Injection: When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.
• JavaScript Injection (XSS): Verify that JavaScript and Plugin support is disabled for any WebViews (usually the default).
• Local File Inclusion: Verify that File System Access is disabled for any WebViews (webview.getSettings().setAllowFileAccess(false);).
• Intent Injection/Fuzzing: Verify actions and data are validated via an Intent Filter for all Activities.