I have an input field which is showing vulnerable in security scan using XSS attack as:
STYLE="xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert(969)});"
Could you please suggest how can we prevent from vulnerability like this ?
Field:
<input id="{ControlItemUniqueID}Data" style="width:150px" name="{ControlItemUniqueName}"
type="hidden" {MaxLength}{IsEnabled} {IsReadOnly} class="datatext {CssClass}" value="{Data}" onkeypress="sanitizeEmployeeDateData()" onmouseover="sanitizeEmployeeDateData()" onblur="sanitizeEmployeeDateData()>
<script>
function sanitizeEmployeeDateData()
{
var EmployeeDate = document.getElementById('LIC1_EmployeeDateData');
if (EmployeeDate != null) {
var date = new Date();
var d = date.getDate();
var day = (d < 10) ? '0' + d : d;
var m = date.getMonth() + 1;
var month = (m < 10) ? '0' + m : m;
var yy = date.getYear();
var year = (yy < 1000) ? yy + 1900 : yy;
EmployeeDate.value = month + "/" + day + "/" + year;
var selectedDate = EmployeeDate.value;
EmployeeDate.value = EmployeeDate.replace(/[^0-9/]+/, "");
}
}
</script>
Hack by Security APP
input id="LIC1_EmployeeDateOrigData" name="LIC1:EmployeeDateOrigData" type="hidden"
value="" STYLE="xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert(969)});" >
<input id="LIC1_EmployeeDateData" style="width:150px" name="LIC1:EmployeeDate"
type="hidden" class="datatext HiddenItem EmployeeDate " value=""
STYLE="xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert(969)});"
onkeypress="sanitizeEmployeeDateData()" onmouseover="sanitizeEmployeeDateData()"