I am trying to run fortify code checker for security vulnerabilities and it is flagging some instances where I have used setTimeout and also some instances from standard 3rd party code libraries. Not sure how to fix them.
my JS files
var hasHash = document.location.hash;
if (hasHash) {
if ($.browser.msie) {
setTimeout(function () {
MOM.utils.scrollTo(MOM.$window.scrollTop() - 60);
}, 1000);
}
else {
MOM.utils.scrollTo(MOM.$window.scrollTop() - 60);
}
}
The file all.js interprets unvalidated user input as source code on line 7982. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.
Flags on line 1 and line 4(setTimeout)
Time out function in bootstrap.editable.js which I am using to implement inline editing of some form fields.
if(this.options.highlight) {
var $e = this.$element,
bgColor = $e.css('background-color');
$e.css('background-color', this.options.highlight);
setTimeout(function(){
if(bgColor === 'transparent') {
bgColor = '';
}
$e.css('background-color', bgColor);
$e.addClass('editable-bg-transition');
setTimeout(function(){
$e.removeClass('editable-bg-transition');
}, 1700);
}, 10);
}
setInterval function in selectivizr.js
if (enabledWatchers.length > 0) {
setInterval( function() {
for (var c = 0, cl = enabledWatchers.length; c < cl; c++) {
var e = enabledWatchers[c];
if (e.disabled !== e.$disabled) {
if (e.disabled) {
e.disabled = false;
e.$disabled = true;
e.disabled = true;
}
else {
e.$disabled = e.disabled;
}
}
}
},250)
}
getting this same error on all 3 files. Not sure how to replace these JS commands or how to deal with 3rd party libraries as well. what is the good approach to deal with these security vulnerabilities.
Selectivizr is mainly use to make UI compatible with EI 9 or below. And mainly concern with CSS related stuff. And data is not coming from external source. So we can consider it as false positive But i am not sure frankly telling. But you can try Conditional Comments OR htmlshiv.js as an alternative to Selectivizr.js