Back to Codebase

Vulnerability Analysis Report

Magento Luma Default Theme v2.2.2

Scan ID: SCAN-MAGENTO-LUMA-1b54rA • Hash: 823e7bde

Severity Score
Critical
Total Findings
100
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
1.145s

Vulnerability Details

L42

Dynamic Code Execution in AssertOrderInOrdersGrid.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Sales/Test/Constraint/AssertOrderInOrdersGrid.php:42
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- public function assert(OrderInjectable $order, OrderIndex $orderIndex, $status, $orderId = '')
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L21

Dynamic Code Execution in AssertCartPriceRuleFreeShippingIsApplied.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/SalesRule/Test/Constraint/AssertCartPriceRuleFreeShippingIsApplied.php:21
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- protected function assert()
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L59

Dynamic Code Execution in AssertShipmentItems.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Shipping/Test/Constraint/AssertShipmentItems.php:59
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->assert($order, $ids, $orderShipmentView, $data);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L71

Dynamic Code Execution in AssertTaxRuleApplying.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Tax/Test/Constraint/AssertTaxRuleApplying.php:71
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- abstract protected function assert();
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L19

Dynamic Code Execution in AssertTaxRuleIsApplied.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Tax/Test/Constraint/AssertTaxRuleIsApplied.php:19
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- protected function assert()
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L21

Dynamic Code Execution in AssertTaxWithCrossBorderApplied.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Tax/Test/Constraint/AssertTaxWithCrossBorderApplied.php:21
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- public function assert($actualPrices)
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L55

Dynamic Code Execution in BundleProductsAssert.php

CWE-94
File Location: dev/tests/integration/testsuite/Magento/Setup/Fixtures/FixturesAsserts/BundleProductsAssert.php:55
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- public function assert()
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L472

Dynamic Code Execution in Filesystem.php

CWE-94
File Location: lib/internal/Magento/Framework/Data/Collection/Filesystem.php:472
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval('$result = ' . $this->_filterEvalRendered . ';');
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L103

Dynamic Code Execution in AssertCartPriceRuleApplying.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/SalesRule/Test/Constraint/AssertCartPriceRuleApplying.php:103
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- abstract protected function assert();
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L71

Dynamic Code Execution in AssertShipmentItems.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Shipping/Test/Constraint/AssertShipmentItems.php:71
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- protected function assert(
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L57

Dynamic Code Execution in AbstractAssertTaxWithCrossBorderApplying.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Tax/Test/Constraint/AbstractAssertTaxWithCrossBorderApplying.php:57
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- abstract protected function assert($actualPrices);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L84

Dynamic Code Execution in AbstractAssertTaxWithCrossBorderApplying.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Tax/Test/Constraint/AbstractAssertTaxWithCrossBorderApplying.php:84
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->assert($actualPrices);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L19

Dynamic Code Execution in AssertTaxRuleIsNotApplied.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Tax/Test/Constraint/AssertTaxRuleIsNotApplied.php:19
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- protected function assert()
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L121

Dynamic Code Execution in FixtureModelTest.php

CWE-94
File Location: dev/tests/integration/testsuite/Magento/Setup/Fixtures/FixtureModelTest.php:121
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $entityAssert->assert();
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L30

Dynamic Code Execution in AssertOrderInOrdersGrid.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Sales/Test/Constraint/AssertOrderInOrdersGrid.php:30
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->assert($order, $orderIndex, $status, $orderId);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L36

Dynamic Code Execution in AssertOrdersInOrdersGrid.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Sales/Test/Constraint/AssertOrdersInOrdersGrid.php:36
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $assertOrderInOrdersGrid->assert($order, $orderIndex, $orderStatuses[$key]);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L19

Dynamic Code Execution in AssertCartPriceRuleConditionIsApplied.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/SalesRule/Test/Constraint/AssertCartPriceRuleConditionIsApplied.php:19
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- protected function assert()
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L19

Dynamic Code Execution in AssertCartPriceRuleConditionIsNotApplied.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/SalesRule/Test/Constraint/AssertCartPriceRuleConditionIsNotApplied.php:19
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- protected function assert()
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L75

Dynamic Code Execution in ImagesAssert.php

CWE-94
File Location: dev/tests/integration/testsuite/Magento/Setup/Fixtures/FixturesAsserts/ImagesAssert.php:75
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- public function assert()
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L50

Dynamic Code Execution in SimpleProductsAssert.php

CWE-94
File Location: dev/tests/integration/testsuite/Magento/Setup/Fixtures/FixturesAsserts/SimpleProductsAssert.php:50
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- public function assert()
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L193

Dynamic Code Execution in AssertCartPriceRuleApplying.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/SalesRule/Test/Constraint/AssertCartPriceRuleApplying.php:193
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->assert();
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L141

Dynamic Code Execution in AssertTaxRuleApplying.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Tax/Test/Constraint/AssertTaxRuleApplying.php:141
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->assert();
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L21

Dynamic Code Execution in AssertTaxWithCrossBorderNotApplied.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Tax/Test/Constraint/AssertTaxWithCrossBorderNotApplied.php:21
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- public function assert($actualPrices)
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L141

Dynamic Code Execution in MassActionTest.php

CWE-94
File Location: dev/tests/integration/testsuite/Magento/Backend/Controller/Adminhtml/Cache/MassActionTest.php:141
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $configData = eval(str_replace('<?php', '', file_get_contents($configPath)));
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L54

Dynamic Code Execution in ConfigurableProductsAssert.php

CWE-94
File Location: dev/tests/integration/testsuite/Magento/Setup/Fixtures/FixturesAsserts/ConfigurableProductsAssert.php:54
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- public function assert()
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L615

Insecure DOM Manipulation (XSS) in configure.js

CWE-79
File Location: app/code/Magento/Catalog/view/adminhtml/web/catalog/product/composite/configure.js:615
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this._getIFrameContent().body.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L235

Insecure DOM Manipulation (XSS) in addresses.js

CWE-79
File Location: app/code/Magento/Customer/view/adminhtml/web/edit/tab/js/addresses.js:235
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- itemContainer[0].innerHTML = tmpl;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L84

Insecure DOM Manipulation (XSS) in msrp.js

CWE-79
File Location: app/code/Magento/Msrp/view/base/web/js/msrp.js:84
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $msrpPopup = $(popupDOM.innerHTML.trim());
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1

Insecure DOM Manipulation (XSS) in highlight.9.1.0.pack_extended.js

CWE-79
File Location: app/code/Magento/Swagger/view/frontend/web/swagger-ui/js/lib/highlight.9.1.0.pack_extended.js:1
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- "use strict";!function(){var h,l;h=hljs.configure,hljs.configure=function(l){var i=l.highlightSizeThreshold;hljs.highlightSizeThreshold=i===+i?i:null,h.call(this,l)},l=hljs.highlightBlock,hljs.highlightBlock=function(h){var i=h.innerHTML,g=hljs.highlightSizeThreshold;(null==g||g>i.length)&&l.call(hljs,h)}}();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L4

Insecure DOM Manipulation (XSS) in jsoneditor.min.js

CWE-79
File Location: app/code/Magento/Swagger/view/frontend/web/swagger-ui/js/lib/jsoneditor.min.js:4
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.preview.appendChild(s)}this.preview.innerHTML+="<br>";var r=this.getButton("Upload","upload","Upload");this.preview.appendChild(r),r.addEventListener("click",function(e){e.preventDefault(),r.setAttribute("disabled","disabled"),t.theme.removeInputError(t.uploader),t.theme.getProgressBar&&(t.progressBar=t.theme.getProgressBar(),t.preview.appendChild(t.progressBar)),t.jsoneditor.options.upload(t.path,i,{success:function(e){t.setValue(e),t.parent?t.parent.onChildEditorChange(t):t.jsoneditor.onChange(),t.progressBar&&t.preview.removeChild(t.progressBar),r.removeAttribute("disabled")},failure:function(e){t.theme.addInputError(t.uploader,e),t.progressBar&&t.preview.removeChild(t.progressBar),r.removeAttribute("disabled")},updateProgress:function(e){t.progressBar&&(e?t.theme.updateProgressBar(t.progressBar,e):t.theme.updateProgressBarUnknown(t.progressBar))}})})}},enable:function(){this.uploader&&(this.uploader.disabled=!1),this._super()},disable:function(){this.uploader&&(this.uploader.disabled=!0),this._super()},setValue:function(t){this.value!==t&&(this.value=t,this.input.value=this.value,this.onChange())},destroy:function(){this.preview&&this.preview.parentNode&&this.preview.parentNode.removeChild(this.preview),this.title&&this.title.parentNode&&this.title.parentNode.removeChild(this.title),this.input&&this.input.parentNode&&this.input.parentNode.removeChild(this.input),this.uploader&&this.uploader.parentNode&&this.uploader.parentNode.removeChild(this.uploader),this._super()}}),n.defaults.editors.checkbox=n.AbstractEditor.extend({setValue:function(t,e){this.value=!!t,this.input.checked=this.value,this.onChange()},register:function(){this._super(),this.input&&this.input.setAttribute("name",this.formname)},unregister:function(){this._super(),this.input&&this.input.removeAttribute("name")},getNumColumns:function(){return Math.min(12,Math.max(this.getTitle().length/7,2))},build:function(){var t=this;this.options.compact||(this.label=this.header=this.theme.getCheckboxLabel(this.getTitle())),this.schema.description&&(this.description=this.theme.getFormInputDescription(this.schema.description)),this.options.compact&&(this.container.className+=" compact"),this.input=this.theme.getCheckbox(),this.control=this.theme.getFormControl(this.label,this.input,this.description),(this.schema.readOnly||this.schema.readonly)&&(this.always_disabled=!0,this.input.disabled=!0),this.input.addEventListener("change",function(e){e.preventDefault(),e.stopPropagation(),t.value=this.checked,t.onChange(!0)}),this.container.appendChild(this.control)},enable:function(){this.always_disabled||(this.input.disabled=!1),this._super()},disable:function(){this.input.disabled=!0,this._super()},destroy:function(){this.label&&this.label.parentNode&&this.label.parentNode.removeChild(this.label),this.description&&this.description.parentNode&&this.description.parentNode.removeChild(this.description),this.input&&this.input.parentNode&&this.input.parentNode.removeChild(this.input),this._super()}});var o=function(){var t=document.documentElement;return t.matches?"matches":t.webkitMatchesSelector?"webkitMatchesSelector":t.mozMatchesSelector?"mozMatchesSelector":t.msMatchesSelector?"msMatchesSelector":t.oMatchesSelector?"oMatchesSelector":void 0}();n.AbstractTheme=t.extend({getContainer:function(){return document.createElement("div")},getFloatRightLinkHolder:function(){var t=document.createElement("div");return t.style=t.style||{},t.style.cssFloat="right",t.style.marginLeft="10px",t},getModal:function(){var t=document.createElement("div");return t.style.backgroundColor="white",t.style.border="1px solid black",t.style.boxShadow="3px 3px black",t.style.position="absolute",t.style.zIndex="10",t.style.display="none",t},getGridContainer:function(){var t=document.createElement("div");return t},getGridRow:function(){var t=document.createElement("div");return t.className="row",t},getGridColumn:function(){var t=document.createElement("div");return t},setGridColumnSize:function(t,e){},getLink:function(t){var e=document.createElement("a");return e.setAttribute("href","#"),e.appendChild(document.createTextNode(t)),e},disableHeader:function(t){t.style.color="#ccc"},disableLabel:function(t){t.style.color="#ccc"},enableHeader:function(t){t.style.color=""},enableLabel:function(t){t.style.color=""},getFormInputLabel:function(t){var e=document.createElement("label");return e.appendChild(document.createTextNode(t)),e},getCheckboxLabel:function(t){var e=this.getFormInputLabel(t);return e.style.fontWeight="normal",e},getHeader:function(t,e){var i=document.createElement("h3");return"string"==typeof t?i.textContent=t:i.appendChild(t),e&&(i.className+=" required"),i},getCheckbox:function(){var t=this.getFormInputField("checkbox");return t.style.display="inline-block",t.style.width="auto",t},getMultiCheckboxHolder:function(t,e,i){var s=document.createElement("div");e&&(e.style.display="block",s.appendChild(e));for(var r in t)t.hasOwnProperty(r)&&(t[r].style.display="inline-block",t[r].style.marginRight="20px",s.appendChild(t[r]));return i&&s.appendChild(i),s},getSelectInput:function(t){var e=document.createElement("select");return t&&this.setSelectOptions(e,t),e},getSwitcher:function(t){var e=this.getSelectInput(t);return e.style.backgroundColor="transparent",e.style.display="inline-block",e.style.fontStyle="italic",e.style.fontWeight="normal",e.style.height="auto",e.style.marginBottom=0,e.style.marginLeft="5px",e.style.padding="0 0 0 3px",e.style.width="auto",e},getSwitcherOptions:function(t){return t.getElementsByTagName("option")},setSwitcherOptions:function(t,e,i){this.setSelectOptions(t,e,i)},setSelectOptions:function(t,e,i){i=i||[],t.innerHTML="";for(var s=0;s<e.length;s++){var r=document.createElement("option");r.setAttribute("value",e[s]),r.textContent=i[s]||e[s],t.appendChild(r)}},getTextareaInput:function(){var t=document.createElement("textarea");return t.style=t.style||{},t.style.width="100%",t.style.height="300px",t.style.boxSizing="border-box",t},getRangeInput:function(t,e,i){var s=this.getFormInputField("range");return s.setAttribute("min",t),s.setAttribute("max",e),s.setAttribute("step",i),s},getFormInputField:function(t){var e=document.createElement("input");return e.setAttribute("type",t),e},afterInputReady:function(t){},getFormControl:function(t,e,i){var s=document.createElement("div");return s.className="form-control",t&&s.appendChild(t),"checkbox"===e.type?t.insertBefore(e,t.firstChild):s.appendChild(e),i&&s.appendChild(i),s},getIndentedPanel:function(){var t=document.createElement("div");return t.style=t.style||{},t.style.paddingLeft="10px",t.style.marginLeft="10px",t.style.borderLeft="1px solid #ccc",t},getChildEditorHolder:function(){return document.createElement("div")},getDescription:function(t){var e=document.createElement("p");return e.innerHTML=t,e},getCheckboxDescription:function(t){return this.getDescription(t)},getFormInputDescription:function(t){return this.getDescription(t)},getHeaderButtonHolder:function(){return this.getButtonHolder()},getButtonHolder:function(){return document.createElement("div")},getButton:function(t,e,i){var s=document.createElement("button");return s.type="button",this.setButtonText(s,t,e,i),s},setButtonText:function(t,e,i,s){t.innerHTML="",i&&(t.appendChild(i),t.innerHTML+=" "),t.appendChild(document.createTextNode(e)),s&&t.setAttribute("title",s)},getTable:function(){return document.createElement("table")},getTableRow:function(){return document.createElement("tr")},getTableHead:function(){return document.createElement("thead")},getTableBody:function(){return document.createElement("tbody")},getTableHeaderCell:function(t){var e=document.createElement("th");return e.textContent=t,e},getTableCell:function(){var t=document.createElement("td");return t},getErrorMessage:function(t){var e=document.createElement("p");return e.style=e.style||{},e.style.color="red",e.appendChild(document.createTextNode(t)),e},addInputError:function(t,e){},removeInputError:function(t){},addTableRowError:function(t){},removeTableRowError:function(t){},getTabHolder:function(){var t=document.createElement("div");return t.innerHTML="<div style='float: left; width: 130px;' class='tabs'></div><div class='content' style='margin-left: 130px;'></div><div style='clear:both;'></div>",t},applyStyles:function(t,e){t.style=t.style||{};for(var i in e)e.hasOwnProperty(i)&&(t.style[i]=e[i])},closest:function(t,e){for(;t&&t!==document;){if(!o)return!1;if(t[o](e))return t;t=t.parentNode}return!1},getTab:function(t){var e=document.createElement("div");return e.appendChild(t),e.style=e.style||{},this.applyStyles(e,{border:"1px solid #ccc",borderWidth:"1px 0 1px 1px",textAlign:"center",lineHeight:"30px",borderRadius:"5px",borderBottomRightRadius:0,borderTopRightRadius:0,fontWeight:"bold",cursor:"pointer"}),e},getTabContentHolder:function(t){return t.children[1]},getTabContent:function(){return this.getIndentedPanel()},markTabActive:function(t){this.applyStyles(t,{opacity:1,background:"white"})},markTabInactive:function(t){this.applyStyles(t,{opacity:.5,background:""})},addTab:function(t,e){t.children[0].appendChild(e)},getBlockLink:function(){var t=document.createElement("a");return t.style.display="block",t},getBlockLinkHolder:function(){var t=document.createElement("div");return t},getLinksHolder:function(){var t=document.createElement("div");return t},createMediaLink:function(t,e,i){t.appendChild(e),i.style.width="100%",t.appendChild(i)},createImageLink:function(t,e,i){t.appendChild(e),e.appendChild(i)}}),n.defaults.themes.bootstrap2=n.AbstractTheme.extend({getRangeInput:function(t,e,i){return this._super(t,e,i)},getGridContainer:function(){var t=document.createElement("div");return t.className="container-fluid",t},getGridRow:function(){var t=document.createElement("div");return t.className="row-fluid",t},getFormInputLabel:function(t,e){var i=this._super(t);return i.style.display="inline-block",i.style.fontWeight="bold",e&&(i.className+=" required"),i},setGridColumnSize:function(t,e){t.className="span"+e},getSelectInput:function(t){var e=this._super(t);return e.style.width="auto",e.style.maxWidth="98%",e},getFormInputField:function(t){var e=this._super(t);return e.style.width="98%",e},afterInputReady:function(t){t.controlgroup||(t.controlgroup=this.closest(t,".control-group"),t.controls=this.closest(t,".controls"),this.closest(t,".compact")&&(t.controlgroup.className=t.controlgroup.className.replace(/control-group/g,"").replace(/[ ]{2,}/g," "),t.controls.className=t.controlgroup.className.replace(/controls/g,"").replace(/[ ]{2,}/g," "),t.style.marginBottom=0))},getIndentedPanel:function(){var t=document.createElement("div");return t.className="well well-small",t},getFormInputDescription:function(t){var e=document.createElement("p");return e.className="help-inline",e.textContent=t,e},getFormControl:function(t,e,i){var s=document.createElement("div");s.className="control-group";var r=document.createElement("div");return r.className="controls",t&&"checkbox"===e.getAttribute("type")?(s.appendChild(r),t.className+=" checkbox",t.appendChild(e),r.appendChild(t),r.style.height="30px"):(t&&(t.className+=" control-label",s.appendChild(t)),r.appendChild(e),s.appendChild(r)),i&&r.appendChild(i),s},getHeaderButtonHolder:function(){var t=this.getButtonHolder();return t.style.marginLeft="10px",t},getButtonHolder:function(){var t=document.createElement("div");return t.className="btn-group",t},getButton:function(t,e,i){var s=this._super(t,e,i);return s.className+=" btn btn-default",s},getTable:function(){var t=document.createElement("table");return t.className="table table-bordered",t.style.width="auto",t.style.maxWidth="none",t},addInputError:function(t,e){t.controlgroup&&t.controls&&(t.controlgroup.className+=" error",t.errmsg?t.errmsg.style.display="":(t.errmsg=document.createElement("p"),t.errmsg.className="help-block errormsg",t.controls.appendChild(t.errmsg)),t.errmsg.textContent=e)},removeInputError:function(t){t.errmsg&&(t.errmsg.style.display="none",t.controlgroup.className=t.controlgroup.className.replace(/\s?error/g,""))},getTabHolder:function(){var t=document.createElement("div");return t.className="tabbable tabs-left",t.innerHTML="<ul class='nav nav-tabs span2' style='margin-right: 0;'></ul><div class='tab-content span10' style='overflow:visible;'></div>",t},getTab:function(t){var e=document.createElement("li"),i=document.createElement("a");return i.setAttribute("href","#"),i.appendChild(t),e.appendChild(i),e},getTabContentHolder:function(t){return t.children[1]},getTabContent:function(){var t=document.createElement("div");return t.className="tab-pane active",t},markTabActive:function(t){t.className+=" active"},markTabInactive:function(t){t.className=t.className.replace(/\s?active/g,"")},addTab:function(t,e){t.children[0].appendChild(e)},getProgressBar:function(){var t=document.createElement("div");t.className="progress";var e=document.createElement("div");return e.className="bar",e.style.width="0%",t.appendChild(e),t},updateProgressBar:function(t,e){t&&(t.firstChild.style.width=e+"%")},updateProgressBarUnknown:function(t){t&&(t.className="progress progress-striped active",t.firstChild.style.width="100%")}}),n.defaults.themes.bootstrap3=n.AbstractTheme.extend({getSelectInput:function(t){var e=this._super(t);return e.className+="form-control",e},setGridColumnSize:function(t,e){t.className="col-md-"+e},afterInputReady:function(t){t.controlgroup||(t.controlgroup=this.closest(t,".form-group"),this.closest(t,".compact")&&(t.controlgroup.style.marginBottom=0))},getTextareaInput:function(){var t=document.createElement("textarea");return t.className="form-control",t},getRangeInput:function(t,e,i){return this._super(t,e,i)},getFormInputField:function(t){var e=this._super(t);return"checkbox"!==t&&(e.className+="form-control"),e},getFormControl:function(t,e,i){var s=document.createElement("div");return t&&"checkbox"===e.type?(s.className+=" checkbox",t.appendChild(e),t.style.fontSize="14px",s.style.marginTop="0",s.appendChild(t),e.style.position="relative",e.style.cssFloat="left"):(s.className+=" form-group",t&&(t.className+=" control-label",s.appendChild(t)),s.appendChild(e)),i&&s.appendChild(i),s},getIndentedPanel:function(){var t=document.createElement("div");return t.className="well well-sm",t},getFormInputDescription:function(t){var e=document.createElement("p");return e.className="help-block",e.innerHTML=t,e},getHeaderButtonHolder:function(){var t=this.getButtonHolder();return t.style.marginLeft="10px",t},getButtonHolder:function(){var t=document.createElement("div");return t.className="btn-group",t},getButton:function(t,e,i){var s=this._super(t,e,i);return s.className+="btn btn-default",s},getTable:function(){var t=document.createElement("table");return t.className="table table-bordered",t.style.width="auto",t.style.maxWidth="none",t},addInputError:function(t,e){t.controlgroup&&(t.controlgroup.className+=" has-error",t.errmsg?t.errmsg.style.display="":(t.errmsg=document.createElement("p"),t.errmsg.className="help-block errormsg",t.controlgroup.appendChild(t.errmsg)),t.errmsg.textContent=e)},removeInputError:function(t){t.errmsg&&(t.errmsg.style.display="none",t.controlgroup.className=t.controlgroup.className.replace(/\s?has-error/g,""))},getTabHolder:function(){var t=document.createElement("div");return t.innerHTML="<div class='tabs list-group col-md-2'></div><div class='col-md-10'></div>",t.className="rows",t},getTab:function(t){var e=document.createElement("a");return e.className="list-group-item",e.setAttribute("href","#"),e.appendChild(t),e},markTabActive:function(t){t.className+=" active"},markTabInactive:function(t){t.className=t.className.replace(/\s?active/g,"")},getProgressBar:function(){var t=0,e=100,i=0,s=document.createElement("div");s.className="progress";var r=document.createElement("div");return r.className="progress-bar",r.setAttribute("role","progressbar"),r.setAttribute("aria-valuenow",i),r.setAttribute("aria-valuemin",t),r.setAttribute("aria-valuenax",e),r.innerHTML=i+"%",s.appendChild(r),s},updateProgressBar:function(t,e){if(t){var i=t.firstChild,s=e+"%";i.setAttribute("aria-valuenow",e),i.style.width=s,i.innerHTML=s}},updateProgressBarUnknown:function(t){if(t){var e=t.firstChild;t.className="progress progress-striped active",e.removeAttribute("aria-valuenow"),e.style.width="100%",e.innerHTML=""}}}),n.defaults.themes.foundation=n.AbstractTheme.extend({getChildEditorHolder:function(){var t=document.createElement("div");return t.style.marginBottom="15px",t},getSelectInput:function(t){var e=this._super(t);return e.style.minWidth="none",e.style.padding="5px",e.style.marginTop="3px",e},getSwitcher:function(t){var e=this._super(t);return e.style.paddingRight="8px",e},afterInputReady:function(t){this.closest(t,".compact")&&(t.style.marginBottom=0),t.group=this.closest(t,".form-control")},getFormInputLabel:function(t,e){var i=this._super(t);return i.style.display="inline-block",e&&(i.className+=" required"),i},getFormInputField:function(t){var e=this._super(t);return e.style.width="100%",e.style.marginBottom="checkbox"===t?"0":"12px",e},getFormInputDescription:function(t){var e=document.createElement("p");return e.textContent=t,e.style.marginTop="-10px",e.style.fontStyle="italic",e},getIndentedPanel:function(){var t=document.createElement("div");return t.className="panel",t},getHeaderButtonHolder:function(){var t=this.getButtonHolder();return t.style.display="inline-block",t.style.marginLeft="10px",t.style.verticalAlign="middle",t},getButtonHolder:function(){var t=document.createElement("div");return t.className="button-group",t},getButton:function(t,e,i){var s=this._super(t,e,i);return s.className+=" small button",s},addInputError:function(t,e){t.group&&(t.group.className+=" error",t.errmsg?t.errmsg.style.display="":(t.insertAdjacentHTML("afterend",'<small class="error"></small>'),t.errmsg=t.parentNode.getElementsByClassName("error")[0]),t.errmsg.textContent=e)},removeInputError:function(t){t.errmsg&&(t.group.className=t.group.className.replace(/ error/g,""),t.errmsg.style.display="none")},getProgressBar:function(){var t=document.createElement("div");t.className="progress";var e=document.createElement("span");return e.className="meter",e.style.width="0%",t.appendChild(e),t},updateProgressBar:function(t,e){t&&(t.firstChild.style.width=e+"%")},updateProgressBarUnknown:function(t){t&&(t.firstChild.style.width="100%")}}),n.defaults.themes.foundation3=n.defaults.themes.foundation.extend({getHeaderButtonHolder:function(){var t=this._super();return t.style.fontSize=".6em",t},getFormInputLabel:function(t,e){var i=this._super(t);return i.style.fontWeight="bold",e&&(i.className+=" required"),i},getTabHolder:function(){var t=document.createElement("div");return t.className="row",t.innerHTML="<dl class='tabs vertical two columns'></dl><div class='tabs-content ten columns'></div>",t},setGridColumnSize:function(t,e){var i=["zero","one","two","three","four","five","six","seven","eight","nine","ten","eleven","twelve"];t.className="columns "+i[e]},getTab:function(t){var e=document.createElement("dd"),i=document.createElement("a");return i.setAttribute("href","#"),i.appendChild(t),e.appendChild(i),e},getTabContentHolder:function(t){return t.children[1]},getTabContent:function(){var t=document.createElement("div");return t.className="content active",t.style.paddingLeft="5px",t},markTabActive:function(t){t.className+=" active"},markTabInactive:function(t){t.className=t.className.replace(/\s*active/g,"")},addTab:function(t,e){t.children[0].appendChild(e)}}),n.defaults.themes.foundation4=n.defaults.themes.foundation.extend({getHeaderButtonHolder:function(){var t=this._super();return t.style.fontSize=".6em",t},setGridColumnSize:function(t,e){t.className="columns large-"+e},getFormInputDescription:function(t){var e=this._super(t);return e.style.fontSize=".8rem",e},getFormInputLabel:function(t,e){var i=this._super(t);return i.style.fontWeight="bold",e&&(i.className+=" required"),i}}),n.defaults.themes.foundation5=n.defaults.themes.foundation.extend({getFormInputDescription:function(t){var e=this._super(t);return e.style.fontSize=".8rem",e},setGridColumnSize:function(t,e){t.className="columns medium-"+e},getButton:function(t,e,i){var s=this._super(t,e,i);return s.className=s.className.replace(/\s*small/g,"")+" tiny",s},getTabHolder:function(){var t=document.createElement("div");return t.innerHTML="<dl class='tabs vertical'></dl><div class='tabs-content vertical'></div>",t},getTab:function(t){var e=document.createElement("dd"),i=document.createElement("a");return i.setAttribute("href","#"),i.appendChild(t),e.appendChild(i),e},getTabContentHolder:function(t){return t.children[1]},getTabContent:function(){var t=document.createElement("div");return t.className="content active",t.style.paddingLeft="5px",t},markTabActive:function(t){t.className+=" active"},markTabInactive:function(t){t.className=t.className.replace(/\s*active/g,"")},addTab:function(t,e){t.children[0].appendChild(e)}}),n.defaults.themes.html=n.AbstractTheme.extend({getFormInputLabel:function(t,e){var i=this._super(t);return i.style.display="block",i.style.marginBottom="3px",i.style.fontWeight="bold",e&&(i.className+=" required"),i},getFormInputDescription:function(t){var e=this._super(t);return e.style.fontSize=".8em",e.style.margin=0,e.style.display="inline-block",e.style.fontStyle="italic",e},getIndentedPanel:function(){var t=this._super();return t.style.border="1px solid #ddd",t.style.padding="5px",t.style.margin="5px",t.style.borderRadius="3px",t},getChildEditorHolder:function(){var t=this._super();return t.style.marginBottom="8px",t},getHeaderButtonHolder:function(){var t=this.getButtonHolder();return t.style.display="inline-block",t.style.marginLeft="10px",t.style.fontSize=".8em",t.style.verticalAlign="middle",t},getTable:function(){var t=this._super();return t.style.borderBottom="1px solid #ccc",t.style.marginBottom="5px",t},addInputError:function(t,e){if(t.style.borderColor="red",t.errmsg)t.errmsg.style.display="block";else{var i=this.closest(t,".form-control");t.errmsg=document.createElement("div"),t.errmsg.setAttribute("class","errmsg"),t.errmsg.style=t.errmsg.style||{},t.errmsg.style.color="red",i.appendChild(t.errmsg)}t.errmsg.innerHTML="",t.errmsg.appendChild(document.createTextNode(e))},removeInputError:function(t){t.style.borderColor="",t.errmsg&&(t.errmsg.style.display="none")},getProgressBar:function(){var t=100,e=0,i=document.createElement("progress");return i.setAttribute("max",t),i.setAttribute("value",e),i},updateProgressBar:function(t,e){t&&t.setAttribute("value",e)},updateProgressBarUnknown:function(t){t&&t.removeAttribute("value")}}),n.defaults.themes.jqueryui=n.AbstractTheme.extend({getTable:function(){var t=this._super();return t.setAttribute("cellpadding",5),t.setAttribute("cellspacing",0),t},getTableHeaderCell:function(t){var e=this._super(t);return e.className="ui-state-active",e.style.fontWeight="bold",e},getTableCell:function(){var t=this._super();return t.className="ui-widget-content",t},getHeaderButtonHolder:function(){var t=this.getButtonHolder();return t.style.marginLeft="10px",t.style.fontSize=".6em",t.style.display="inline-block",t},getFormInputDescription:function(t){var e=this.getDescription(t);return e.style.marginLeft="10px",e.style.display="inline-block",e},getFormControl:function(t,e,i){var s=this._super(t,e,i);return"checkbox"===e.type?(s.style.lineHeight="25px",s.style.padding="3px 0"):s.style.padding="4px 0 8px 0",s},getDescription:function(t){var e=document.createElement("span");return e.style.fontSize=".8em",e.style.fontStyle="italic",e.textContent=t,e},getButtonHolder:function(){var t=document.createElement("div");return t.className="ui-buttonset",t.style.fontSize=".7em",t},getFormInputLabel:function(t,e){var i=document.createElement("label");return i.style.fontWeight="bold",i.style.display="block",e&&(i.className+=" required"),i.textContent=t,i},getButton:function(t,e,i){var s=document.createElement("button");s.className="ui-button ui-widget ui-state-default ui-corner-all",e&&!t?(s.className+=" ui-button-icon-only",e.className+=" ui-button-icon-primary ui-icon-primary",s.appendChild(e)):e?(s.className+=" ui-button-text-icon-primary",e.className+=" ui-button-icon-primary ui-icon-primary",s.appendChild(e)):s.className+=" ui-button-text-only";var r=document.createElement("span");return r.className="ui-button-text",r.textContent=t||i||".",s.appendChild(r),s.setAttribute("title",i),s},setButtonText:function(t,e,i,s){t.innerHTML="",t.className="ui-button ui-widget ui-state-default ui-corner-all",i&&!e?(t.className+=" ui-button-icon-only",i.className+=" ui-button-icon-primary ui-icon-primary",t.appendChild(i)):i?(t.className+=" ui-button-text-icon-primary",i.className+=" ui-button-icon-primary ui-icon-primary",t.appendChild(i)):t.className+=" ui-button-text-only";var r=document.createElement("span");r.className="ui-button-text",r.textContent=e||s||".",t.appendChild(r),t.setAttribute("title",s)},getIndentedPanel:function(){var t=document.createElement("div");return t.className="ui-widget-content ui-corner-all",t.style.padding="1em 1.4em",t.style.marginBottom="20px",t},afterInputReady:function(t){t.controls||(t.controls=this.closest(t,".form-control"))},addInputError:function(t,e){t.controls&&(t.errmsg?t.errmsg.style.display="":(t.errmsg=document.createElement("div"),t.errmsg.className="ui-state-error",t.controls.appendChild(t.errmsg)),t.errmsg.textContent=e)},removeInputError:function(t){t.errmsg&&(t.errmsg.style.display="none")},markTabActive:function(t){t.className=t.className.replace(/\s*ui-widget-header/g,"")+" ui-state-active"},markTabInactive:function(t){t.className=t.className.replace(/\s*ui-state-active/g,"")+" ui-widget-header"}}),n.AbstractIconLib=t.extend({mapping:{collapse:"",expand:"","delete":"",edit:"",add:"",cancel:"",save:"",moveup:"",movedown:""},icon_prefix:"",getIconClass:function(t){return this.mapping[t]?this.icon_prefix+this.mapping[t]:null},getIcon:function(t){var e=this.getIconClass(t);if(!e)return null;var i=document.createElement("i");return i.className=e,i}}),n.defaults.iconlibs.bootstrap2=n.AbstractIconLib.extend({mapping:{collapse:"chevron-down",expand:"chevron-up","delete":"trash",edit:"pencil",add:"plus",cancel:"ban-circle",save:"ok",moveup:"arrow-up",movedown:"arrow-down"},icon_prefix:"icon-"}),n.defaults.iconlibs.bootstrap3=n.AbstractIconLib.extend({mapping:{collapse:"chevron-down",expand:"chevron-right","delete":"remove",edit:"pencil",add:"plus",cancel:"floppy-remove",save:"floppy-saved",moveup:"arrow-up",movedown:"arrow-down"},icon_prefix:"glyphicon glyphicon-"}),n.defaults.iconlibs.fontawesome3=n.AbstractIconLib.extend({mapping:{collapse:"chevron-down",expand:"chevron-right","delete":"remove",edit:"pencil",add:"plus",cancel:"ban-circle",save:"save",moveup:"arrow-up",movedown:"arrow-down"},icon_prefix:"icon-"}),n.defaults.iconlibs.fontawesome4=n.AbstractIconLib.extend({mapping:{collapse:"caret-square-o-down",expand:"caret-square-o-right","delete":"times",edit:"pencil",add:"plus",cancel:"ban",save:"save",moveup:"arrow-up",movedown:"arrow-down"},icon_prefix:"fa fa-"}),n.defaults.iconlibs.foundation2=n.AbstractIconLib.extend({mapping:{collapse:"minus",expand:"plus","delete":"remove",edit:"edit",add:"add-doc",cancel:"error",save:"checkmark",moveup:"up-arrow",movedown:"down-arrow"},icon_prefix:"foundicon-"}),n.defaults.iconlibs.foundation3=n.AbstractIconLib.extend({mapping:{collapse:"minus",expand:"plus","delete":"x",edit:"pencil",add:"page-add",cancel:"x-circle",save:"save",moveup:"arrow-up",movedown:"arrow-down"},icon_prefix:"fi-"}),n.defaults.iconlibs.jqueryui=n.AbstractIconLib.extend({mapping:{collapse:"triangle-1-s",expand:"triangle-1-e","delete":"trash",edit:"pencil",add:"plusthick",cancel:"closethick",save:"disk",moveup:"arrowthick-1-n",movedown:"arrowthick-1-s"},icon_prefix:"ui-icon ui-icon-"}),n.defaults.templates["default"]=function(){return{compile:function(t){var e=t.match(/{{\s*([a-zA-Z0-9\-_ \.]+)\s*}}/g),i=e&&e.length;if(!i)return function(){return t};for(var s=[],r=function(t){var i,r=e[t].replace(/[{}]+/g,"").trim().split("."),n=r.length;if(n>1){var o;i=function(e){for(o=e,t=0;n>t&&(o=o[r[t]]);t++);return o}}else r=r[0],i=function(t){return t[r]};s.push({s:e[t],r:i})},n=0;i>n;n++)r(n);return function(e){var r,o=t+"";for(n=0;i>n;n++)r=s[n],o=o.replace(r.s,r.r(e));return o}}}},n.defaults.templates.ejs=function(){return!!window.EJS&&{compile:function(t){var e=new window.EJS({text:t});return function(t){return e.render(t)}}}},n.defaults.templates.handlebars=function(){return window.Handlebars},n.defaults.templates.hogan=function(){return!!window.Hogan&&{compile:function(t){var e=window.Hogan.compile(t);return function(t){return e.render(t)}}}},n.defaults.templates.markup=function(){return!(!window.Mark||!window.Mark.up)&&{compile:function(t){return function(e){return window.Mark.up(t,e)}}}},n.defaults.templates.mustache=function(){return!!window.Mustache&&{compile:function(t){return function(e){return window.Mustache.render(t,e)}}}},n.defaults.templates.swig=function(){return window.swig},n.defaults.templates.underscore=function(){return!!window._&&{compile:function(t){return function(e){return window._.template(t,e)}}}},n.defaults.theme="html",n.defaults.template="default",n.defaults.options={},n.defaults.translate=function(t,e){var i=n.defaults.languages[n.defaults.language];if(!i)throw"Unknown language "+n.defaults.language;var s=i[t]||n.defaults.languages[n.defaults.default_language][t];if("undefined"==typeof s)throw"Unknown translate string "+t;if(e)for(var r=0;r<e.length;r++)s=s.replace(new RegExp("\\{\\{"+r+"}}","g"),e[r]);return s},n.defaults.default_language="en",n.defaults.language=n.defaults.default_language,n.defaults.languages.en={error_notset:"Property must be set",error_notempty:"Value required",error_enum:"Value must be one of the enumerated values",error_anyOf:"Value must validate against at least one of the provided schemas",error_oneOf:"Value must validate against exactly one of the provided schemas. It currently validates against {{0}} of the schemas.",error_not:"Value must not validate against the provided schema",error_type_union:"Value must be one of the provided types",error_type:"Value must be of type {{0}}",error_disallow_union:"Value must not be one of the provided disallowed types",error_disallow:"Value must not be of type {{0}}",error_multipleOf:"Value must be a multiple of {{0}}",error_maximum_excl:"Value must be less than {{0}}",error_maximum_incl:"Value must at most {{0}}",error_minimum_excl:"Value must be greater than {{0}}",error_minimum_incl:"Value must be at least {{0}}",error_maxLength:"Value must be at most {{0}} characters long",error_minLength:"Value must be at least {{0}} characters long",error_pattern:"Value must match the provided pattern",error_additionalItems:"No additional items allowed in this array",error_maxItems:"Value must have at most {{0}} items",error_minItems:"Value must have at least {{0}} items",error_uniqueItems:"Array must have unique items",error_maxProperties:"Object must have at most {{0}} properties",error_minProperties:"Object must have at least {{0}} properties",error_required:"Object is missing the required property '{{0}}'",error_additional_properties:"No additional properties allowed, but property {{0}} is set",error_dependency:"Must have property {{0}}"},n.plugins={ace:{theme:""},epiceditor:{},sceditor:{},select2:{}};for(var a in n.defaults.editors)n.defaults.editors.hasOwnProperty(a)&&(n.defaults.editors[a].options=n.defaults.editors.options||{});n.defaults.resolvers.unshift(function(t){return"string"!=typeof t.type?"multiple":void 0}),n.defaults.resolvers.unshift(function(t){return!t.type&&t.properties?"object":void 0}),n.defaults.resolvers.unshift(function(t){return"string"==typeof t.type?t.type:void 0}),n.defaults.resolvers.unshift(function(t){return"boolean"===t.type?"checkbox"===t.format||t.options&&t.options.checkbox?"checkbox":"select":void 0;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L374

Insecure DOM Manipulation (XSS) in qunit-1.14.0.js

CWE-79
File Location: dev/tests/js/JsTestDriver/framework/qunit/qunit-1.14.0.js:374
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- result.innerHTML = "Running...<br/>&nbsp;";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L720

Insecure DOM Manipulation (XSS) in qunit-1.14.0.js

CWE-79
File Location: dev/tests/js/JsTestDriver/framework/qunit/qunit-1.14.0.js:720
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- label.innerHTML = "Hide passed tests";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L237

Insecure DOM Manipulation (XSS) in ext-tree.js

CWE-79
File Location: lib/web/extjs/ext-tree.js:237
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- Ext.form.Field=function(_1){Ext.form.Field.superclass.constructor.call(this,_1);this.addEvents({focus:true,blur:true,specialkey:true,change:true,invalid:true,valid:true});};Ext.extend(Ext.form.Field,Ext.Component,{invalidClass:"x-form-invalid",invalidText:"The value in this field is invalid",focusClass:"x-form-focus",validationEvent:"keyup",validateOnBlur:true,validationDelay:250,defaultAutoCreate:{tag:"input",type:"text",size:"20",autocomplete:"off"},fieldClass:"x-form-field",msgTarget:"qtip",msgFx:"normal",inputType:undefined,isFormField:true,hasFocus:false,value:undefined,getName:function(){return this.rendered&&this.el.dom.name?this.el.dom.name:(this.hiddenName||"");},applyTo:function(_2){this.target=_2;this.el=Ext.get(_2);this.render(this.el.dom.parentNode);return this;},onRender:function(ct,_4){if(this.el){this.el=Ext.get(this.el);if(!this.target){ct.dom.appendChild(this.el.dom);}}else{var _5=this.getAutoCreate();if(!_5.name){_5.name=this.name||this.id;}if(this.inputType){_5.type=this.inputType;}if(this.tabIndex!==undefined){_5.tabIndex=this.tabIndex;}this.el=ct.createChild(_5,_4);}var _6=this.el.dom.type;if(_6){if(_6=="password"){_6="text";}this.el.addClass("x-form-"+_6);}if(!this.customSize&&(this.width||this.height)){this.setSize(this.width||"",this.height||"");}if(this.readOnly){this.el.dom.readOnly=true;}this.el.addClass([this.fieldClass,this.cls]);this.initValue();},initValue:function(){if(this.value!==undefined){this.setValue(this.value);}else{if(this.el.dom.value.length>0){this.setValue(this.el.dom.value);}}},afterRender:function(){Ext.form.Field.superclass.afterRender.call(this);this.initEvents();},fireKey:function(e){if(e.isNavKeyPress()){this.fireEvent("specialkey",this,e);}},reset:function(){this.setValue(this.originalValue);this.clearInvalid();},initEvents:function(){this.el.on(Ext.isIE?"keydown":"keypress",this.fireKey,this);this.el.on("focus",this.onFocus,this);this.el.on("blur",this.onBlur,this);this.originalValue=this.getValue();},onFocus:function(){if(!Ext.isOpera){this.el.addClass(this.focusClass);}this.hasFocus=true;this.startValue=this.getValue();this.fireEvent("focus",this);},onBlur:function(){this.el.removeClass(this.focusClass);this.hasFocus=false;if(this.validationEvent!==false&&this.validateOnBlur&&this.validationEvent!="blur"){this.validate();}var v=this.getValue();if(v!=this.startValue){this.fireEvent("change",this,v,this.startValue);}this.fireEvent("blur",this);},setSize:function(w,h){if(!this.rendered||!this.el){this.width=w;this.height=h;return;}if(w){w=this.adjustWidth(this.el.dom.tagName,w);this.el.setWidth(w);}if(h){this.el.setHeight(h);}var h=this.el.dom.offsetHeight;},isValid:function(_b){if(this.disabled){return true;}var _c=this.preventMark;this.preventMark=_b===true;var v=this.validateValue(this.getRawValue());this.preventMark=_c;return v;},validate:function(){if(this.disabled||this.validateValue(this.getRawValue())){this.clearInvalid();return true;}return false;},validateValue:function(_e){return true;},markInvalid:function(_f){if(!this.rendered||this.preventMark){return;}this.el.addClass(this.invalidClass);_f=_f||this.invalidText;switch(this.msgTarget){case "qtip":this.el.dom.qtip=_f;this.el.dom.qclass="x-form-invalid-tip";break;case "title":this.el.dom.title=_f;break;case "under":if(!this.errorEl){var elp=this.el.findParent(".x-form-element",5,true);this.errorEl=elp.createChild({cls:"x-form-invalid-msg"});this.errorEl.setWidth(elp.getWidth(true)-20);}this.errorEl.update(_f);Ext.form.Field.msgFx[this.msgFx].show(this.errorEl,this);break;case "side":if(!this.errorIcon){var elp=this.el.findParent(".x-form-element",5,true);this.errorIcon=elp.createChild({cls:"x-form-invalid-icon"});}this.alignErrorIcon();this.errorIcon.dom.qtip=_f;this.errorIcon.dom.qclass="x-form-invalid-tip";this.errorIcon.show();break;default:var t=Ext.getDom(this.msgTarget);t.innerHTML=_f;t.style.display=this.msgDisplay;break;}this.fireEvent("invalid",this,_f);},alignErrorIcon:function(){this.errorIcon.alignTo(this.el,"tl-tr",[2,0]);},clearInvalid:function(){if(!this.rendered||this.preventMark){return;}this.el.removeClass(this.invalidClass);switch(this.msgTarget){case "qtip":this.el.dom.qtip="";break;case "title":this.el.dom.title="";break;case "under":if(this.errorEl){Ext.form.Field.msgFx[this.msgFx].hide(this.errorEl,this);}break;case "side":if(this.errorIcon){this.errorIcon.dom.qtip="";this.errorIcon.hide();}break;default:var t=Ext.getDom(this.msgTarget);t.innerHTML="";t.style.display="none";break;}this.fireEvent("valid",this);},getRawValue:function(){return this.el.getValue();},getValue:function(){var v=this.el.getValue();if(v==this.emptyText||v===undefined){v="";}return v;},setRawValue:function(v){return this.el.dom.value=v;},setValue:function(v){this.value=v;if(this.rendered){this.el.dom.value=v;this.validate();}},adjustWidth:function(tag,w){tag=tag.toLowerCase();if(typeof w=="number"&&Ext.isStrict&&!Ext.isSafari){if(Ext.isIE&&(tag=="input"||tag=="textarea")){if(tag=="input"){return w+2;}if(tag="textarea"){return w-2;}}else{if(Ext.isGecko&&tag=="textarea"){return w-6;}else{if(Ext.isOpera){if(tag=="input"){return w+2;}if(tag="textarea"){return w-2;}}}}}return w;}});Ext.form.Field.msgFx={normal:{show:function(_18,f){_18.setDisplayed("block");},hide:function(_1a,f){_1a.setDisplayed(false).update("");}},slide:{show:function(_1c,f){_1c.slideIn("t",{stopFx:true});},hide:function(_1e,f){_1e.slideOut("t",{stopFx:true,useDisplay:true});}},slideRight:{show:function(_20,f){_20.fixDisplay();_20.alignTo(f.el,"tl-tr");_20.slideIn("l",{stopFx:true});},hide:function(_22,f){_22.slideOut("l",{stopFx:true,useDisplay:true});}}};
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L6144

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: lib/web/jquery.js:6144
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- fragmentDiv.innerHTML = elem.outerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L6546

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: lib/web/jquery.js:6546
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = "";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L590

Insecure DOM Manipulation (XSS) in widget.js

CWE-79
File Location: lib/web/mage/adminhtml/wysiwyg/widget.js:590
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.getElementLabel().innerHTML = value;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1062

Insecure DOM Manipulation (XSS) in modernizr.js

CWE-79
File Location: lib/web/modernizr/modernizr.js:1062
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- p.innerHTML = 'x<style>' + cssText + '</style>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1935

Insecure DOM Manipulation (XSS) in prototype.js

CWE-79
File Location: lib/web/prototype/prototype.js:1935
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = "<option value=\"test\">test</option>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1947

Insecure DOM Manipulation (XSS) in prototype.js

CWE-79
File Location: lib/web/prototype/prototype.js:1947
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = "<tbody><tr><td>test</td></tr></tbody>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L629

Insecure DOM Manipulation (XSS) in window.js

CWE-79
File Location: lib/web/prototype/window.js:629
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- win.innerHTML = closeDiv + minDiv + maxDiv + "\
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L778

Insecure DOM Manipulation (XSS) in window.js

CWE-79
File Location: lib/web/prototype/window.js:778
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var size = WindowUtilities._computeSize(this.content.innerHTML, this.content.id, this.width, this.height, 0, this.options.className)
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1061

Insecure DOM Manipulation (XSS) in effects.js

CWE-79
File Location: lib/web/scriptaculous/effects.js:1061
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- String.__parseStyleElement.innerHTML = '<div style="' + this + '"></div>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L369

Insecure DOM Manipulation (XSS) in ForceBlocks.js

CWE-79
File Location: lib/web/tiny_mce/classes/ForceBlocks.js:369
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- sn.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L536

Insecure DOM Manipulation (XSS) in ForceBlocks.js

CWE-79
File Location: lib/web/tiny_mce/classes/ForceBlocks.js:536
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- nl[0].innerHTML = isOpera ? '\u00a0' : '<br />'; // Extra space for Opera so that the caret can move there
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L48

Insecure DOM Manipulation (XSS) in Entities.js

CWE-79
File Location: lib/web/tiny_mce/classes/html/Entities.js:48
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elm.innerHTML = text;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L63

Insecure DOM Manipulation (XSS) in image.js

CWE-79
File Location: lib/web/tiny_mce/plugins/advimage/js/image.js:63
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('srcbrowsercontainer').innerHTML = getBrowserHTML('srcbrowser','src','image','theme_advanced_image');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L40

Insecure DOM Manipulation (XSS) in advlink.js

CWE-79
File Location: lib/web/tiny_mce/plugins/advlink/js/advlink.js:40
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById("linklisthrefcontainer").innerHTML = html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L201

Insecure DOM Manipulation (XSS) in fullpage.js

CWE-79
File Location: lib/web/tiny_mce/plugins/fullpage/js/fullpage.js:201
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('active_color_pickcontainer').innerHTML = getColorPickerHTML('active_color_pick','active_color');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1

Insecure DOM Manipulation (XSS) in editor_plugin.js

CWE-79
File Location: lib/web/tiny_mce/plugins/inlinepopups/editor_plugin.js:1
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- (function(){var d=tinymce.DOM,b=tinymce.dom.Element,a=tinymce.dom.Event,e=tinymce.each,c=tinymce.is;tinymce.create("tinymce.plugins.InlinePopups",{init:function(f,g){f.onBeforeRenderUI.add(function(){f.windowManager=new tinymce.InlineWindowManager(f);d.loadCSS(g+"/skins/"+(f.settings.inlinepopups_skin||"clearlooks2")+"/window.css")})},getInfo:function(){return{longname:"InlinePopups",author:"Moxiecode Systems AB",authorurl:"http://tinymce.moxiecode.com",infourl:"http://wiki.moxiecode.com/index.php/TinyMCE:Plugins/inlinepopups",version:tinymce.majorVersion+"."+tinymce.minorVersion}}});tinymce.create("tinymce.InlineWindowManager:tinymce.WindowManager",{InlineWindowManager:function(f){var g=this;g.parent(f);g.zIndex=1000;g.count=0;g.windows={}},open:function(s,j){var z=this,i,k="",r=z.editor,g=0,v=0,h,m,o,q,l,x,y,n;s=s||{};j=j||{};if(!s.inline){return z.parent(s,j)}n=z._frontWindow();if(n&&d.get(n.id+"_ifr")){n.focussedElement=d.get(n.id+"_ifr").contentWindow.document.activeElement}if(!s.type){z.bookmark=r.selection.getBookmark(1)}i=d.uniqueId();h=d.getViewPort();s.width=parseInt(s.width||320);s.height=parseInt(s.height||240)+(tinymce.isIE?8:0);s.min_width=parseInt(s.min_width||150);s.min_height=parseInt(s.min_height||100);s.max_width=parseInt(s.max_width||2000);s.max_height=parseInt(s.max_height||2000);s.left=s.left||Math.round(Math.max(h.x,h.x+(h.w/2)-(s.width/2)));s.top=s.top||Math.round(Math.max(h.y,h.y+(h.h/2)-(s.height/2)));s.movable=s.resizable=true;j.mce_width=s.width;j.mce_height=s.height;j.mce_inline=true;j.mce_window_id=i;j.mce_auto_focus=s.auto_focus;z.features=s;z.params=j;z.onOpen.dispatch(z,s,j);if(s.type){k+=" mceModal";if(s.type){k+=" mce"+s.type.substring(0,1).toUpperCase()+s.type.substring(1)}s.resizable=false}if(s.statusbar){k+=" mceStatusbar"}if(s.resizable){k+=" mceResizable"}if(s.minimizable){k+=" mceMinimizable"}if(s.maximizable){k+=" mceMaximizable"}if(s.movable){k+=" mceMovable"}z._addAll(d.doc.body,["div",{id:i,role:"dialog","aria-labelledby":s.type?i+"_content":i+"_title","class":(r.settings.inlinepopups_skin||"clearlooks2")+(tinymce.isIE&&window.getSelection?" ie9":""),style:"width:100px;height:100px"},["div",{id:i+"_wrapper","class":"mceWrapper"+k},["div",{id:i+"_top","class":"mceTop"},["div",{"class":"mceLeft"}],["div",{"class":"mceCenter"}],["div",{"class":"mceRight"}],["span",{id:i+"_title"},s.title||""]],["div",{id:i+"_middle","class":"mceMiddle"},["div",{id:i+"_left","class":"mceLeft",tabindex:"0"}],["span",{id:i+"_content"}],["div",{id:i+"_right","class":"mceRight",tabindex:"0"}]],["div",{id:i+"_bottom","class":"mceBottom"},["div",{"class":"mceLeft"}],["div",{"class":"mceCenter"}],["div",{"class":"mceRight"}],["span",{id:i+"_status"},"Content"]],["a",{"class":"mceMove",tabindex:"-1",href:"javascript:;"}],["a",{"class":"mceMin",tabindex:"-1",href:"javascript:;",onmousedown:"return false;"}],["a",{"class":"mceMax",tabindex:"-1",href:"javascript:;",onmousedown:"return false;"}],["a",{"class":"mceMed",tabindex:"-1",href:"javascript:;",onmousedown:"return false;"}],["a",{"class":"mceClose",tabindex:"-1",href:"javascript:;",onmousedown:"return false;"}],["a",{id:i+"_resize_n","class":"mceResize mceResizeN",tabindex:"-1",href:"javascript:;"}],["a",{id:i+"_resize_s","class":"mceResize mceResizeS",tabindex:"-1",href:"javascript:;"}],["a",{id:i+"_resize_w","class":"mceResize mceResizeW",tabindex:"-1",href:"javascript:;"}],["a",{id:i+"_resize_e","class":"mceResize mceResizeE",tabindex:"-1",href:"javascript:;"}],["a",{id:i+"_resize_nw","class":"mceResize mceResizeNW",tabindex:"-1",href:"javascript:;"}],["a",{id:i+"_resize_ne","class":"mceResize mceResizeNE",tabindex:"-1",href:"javascript:;"}],["a",{id:i+"_resize_sw","class":"mceResize mceResizeSW",tabindex:"-1",href:"javascript:;"}],["a",{id:i+"_resize_se","class":"mceResize mceResizeSE",tabindex:"-1",href:"javascript:;"}]]]);d.setStyles(i,{top:-10000,left:-10000});if(tinymce.isGecko){d.setStyle(i,"overflow","auto")}if(!s.type){g+=d.get(i+"_left").clientWidth;g+=d.get(i+"_right").clientWidth;v+=d.get(i+"_top").clientHeight;v+=d.get(i+"_bottom").clientHeight}d.setStyles(i,{top:s.top,left:s.left,width:s.width+g,height:s.height+v});y=s.url||s.file;if(y){if(tinymce.relaxedDomain){y+=(y.indexOf("?")==-1?"?":"&")+"mce_rdomain="+tinymce.relaxedDomain}y=tinymce._addVer(y)}if(!s.type){d.add(i+"_content","iframe",{id:i+"_ifr",src:'javascript:""',frameBorder:0,style:"border:0;width:10px;height:10px"});d.setStyles(i+"_ifr",{width:s.width,height:s.height});d.setAttrib(i+"_ifr","src",y)}else{d.add(i+"_wrapper","a",{id:i+"_ok","class":"mceButton mceOk",href:"javascript:;",onmousedown:"return false;"},"Ok");if(s.type=="confirm"){d.add(i+"_wrapper","a",{"class":"mceButton mceCancel",href:"javascript:;",onmousedown:"return false;"},"Cancel")}d.add(i+"_middle","div",{"class":"mceIcon"});d.setHTML(i+"_content",s.content.replace("\n","<br />"));a.add(i,"keyup",function(f){var p=27;if(f.keyCode===p){s.button_func(false);return a.cancel(f)}});a.add(i,"keydown",function(f){var t,p=9;if(f.keyCode===p){t=d.select("a.mceCancel",i+"_wrapper")[0];if(t&&t!==f.target){t.focus()}else{d.get(i+"_ok").focus()}return a.cancel(f)}})}o=a.add(i,"mousedown",function(t){var u=t.target,f,p;f=z.windows[i];z.focus(i);if(u.nodeName=="A"||u.nodeName=="a"){if(u.className=="mceClose"){z.close(null,i);return a.cancel(t)}else{if(u.className=="mceMax"){f.oldPos=f.element.getXY();f.oldSize=f.element.getSize();p=d.getViewPort();p.w-=2;p.h-=2;f.element.moveTo(p.x,p.y);f.element.resizeTo(p.w,p.h);d.setStyles(i+"_ifr",{width:p.w-f.deltaWidth,height:p.h-f.deltaHeight});d.addClass(i+"_wrapper","mceMaximized")}else{if(u.className=="mceMed"){f.element.moveTo(f.oldPos.x,f.oldPos.y);f.element.resizeTo(f.oldSize.w,f.oldSize.h);f.iframeElement.resizeTo(f.oldSize.w-f.deltaWidth,f.oldSize.h-f.deltaHeight);d.removeClass(i+"_wrapper","mceMaximized")}else{if(u.className=="mceMove"){return z._startDrag(i,t,u.className)}else{if(d.hasClass(u,"mceResize")){return z._startDrag(i,t,u.className.substring(13))}}}}}}});q=a.add(i,"click",function(f){var p=f.target;z.focus(i);if(p.nodeName=="A"||p.nodeName=="a"){switch(p.className){case"mceClose":z.close(null,i);return a.cancel(f);case"mceButton mceOk":case"mceButton mceCancel":s.button_func(p.className=="mceButton mceOk");return a.cancel(f)}}});a.add([i+"_left",i+"_right"],"focus",function(p){var t=d.get(i+"_ifr");if(t){var f=t.contentWindow.document.body;var u=d.select(":input:enabled,*[tabindex=0]",f);if(p.target.id===(i+"_left")){u[u.length-1].focus()}else{u[0].focus()}}else{d.get(i+"_ok").focus()}});x=z.windows[i]={id:i,mousedown_func:o,click_func:q,element:new b(i,{blocker:1,container:r.getContainer()}),iframeElement:new b(i+"_ifr"),features:s,deltaWidth:g,deltaHeight:v};x.iframeElement.on("focus",function(){z.focus(i)});if(z.count==0&&z.editor.getParam("dialog_type","modal")=="modal"){d.add(d.doc.body,"div",{id:"mceModalBlocker","class":(z.editor.settings.inlinepopups_skin||"clearlooks2")+"_modalBlocker",style:{zIndex:z.zIndex-1}});d.show("mceModalBlocker");d.setAttrib(d.doc.body,"aria-hidden","true")}else{d.setStyle("mceModalBlocker","z-index",z.zIndex-1)}if(tinymce.isIE6||/Firefox\/2\./.test(navigator.userAgent)||(tinymce.isIE&&!d.boxModel)){d.setStyles("mceModalBlocker",{position:"absolute",left:h.x,top:h.y,width:h.w-2,height:h.h-2})}d.setAttrib(i,"aria-hidden","false");z.focus(i);z._fixIELayout(i,1);if(d.get(i+"_ok")){d.get(i+"_ok").focus()}z.count++;return x},focus:function(h){var g=this,f;if(f=g.windows[h]){f.zIndex=this.zIndex++;f.element.setStyle("zIndex",f.zIndex);f.element.update();h=h+"_wrapper";d.removeClass(g.lastId,"mceFocus");d.addClass(h,"mceFocus");g.lastId=h;if(f.focussedElement){f.focussedElement.focus()}else{if(d.get(h+"_ok")){d.get(f.id+"_ok").focus()}else{if(d.get(f.id+"_ifr")){d.get(f.id+"_ifr").focus()}}}}},_addAll:function(k,h){var g,l,f=this,j=tinymce.DOM;if(c(h,"string")){k.appendChild(j.doc.createTextNode(h))}else{if(h.length){k=k.appendChild(j.create(h[0],h[1]));for(g=2;g<h.length;g++){f._addAll(k,h[g])}}}},_startDrag:function(v,G,E){var o=this,u,z,C=d.doc,f,l=o.windows[v],h=l.element,y=h.getXY(),x,q,F,g,A,s,r,j,i,m,k,n,B;g={x:0,y:0};A=d.getViewPort();A.w-=2;A.h-=2;j=G.screenX;i=G.screenY;m=k=n=B=0;u=a.add(C,"mouseup",function(p){a.remove(C,"mouseup",u);a.remove(C,"mousemove",z);if(f){f.remove()}h.moveBy(m,k);h.resizeBy(n,B);q=h.getSize();d.setStyles(v+"_ifr",{width:q.w-l.deltaWidth,height:q.h-l.deltaHeight});o._fixIELayout(v,1);return a.cancel(p)});if(E!="Move"){D()}function D(){if(f){return}o._fixIELayout(v,0);d.add(C.body,"div",{id:"mceEventBlocker","class":"mceEventBlocker "+(o.editor.settings.inlinepopups_skin||"clearlooks2"),style:{zIndex:o.zIndex+1}});if(tinymce.isIE6||(tinymce.isIE&&!d.boxModel)){d.setStyles("mceEventBlocker",{position:"absolute",left:A.x,top:A.y,width:A.w-2,height:A.h-2})}f=new b("mceEventBlocker");f.update();x=h.getXY();q=h.getSize();s=g.x+x.x-A.x;r=g.y+x.y-A.y;d.add(f.get(),"div",{id:"mcePlaceHolder","class":"mcePlaceHolder",style:{left:s,top:r,width:q.w,height:q.h}});F=new b("mcePlaceHolder")}z=a.add(C,"mousemove",function(w){var p,H,t;D();p=w.screenX-j;H=w.screenY-i;switch(E){case"ResizeW":m=p;n=0-p;break;case"ResizeE":n=p;break;case"ResizeN":case"ResizeNW":case"ResizeNE":if(E=="ResizeNW"){m=p;n=0-p}else{if(E=="ResizeNE"){n=p}}k=H;B=0-H;break;case"ResizeS":case"ResizeSW":case"ResizeSE":if(E=="ResizeSW"){m=p;n=0-p}else{if(E=="ResizeSE"){n=p}}B=H;break;case"mceMove":m=p;k=H;break}if(n<(t=l.features.min_width-q.w)){if(m!==0){m+=n-t}n=t}if(B<(t=l.features.min_height-q.h)){if(k!==0){k+=B-t}B=t}n=Math.min(n,l.features.max_width-q.w);B=Math.min(B,l.features.max_height-q.h);m=Math.max(m,A.x-(s+A.x));k=Math.max(k,A.y-(r+A.y));m=Math.min(m,(A.w+A.x)-(s+q.w+A.x));k=Math.min(k,(A.h+A.y)-(r+q.h+A.y));if(m+k!==0){if(s+m<0){m=0}if(r+k<0){k=0}F.moveTo(s+m,r+k)}if(n+B!==0){F.resizeTo(q.w+n,q.h+B)}return a.cancel(w)});return a.cancel(G)},resizeBy:function(g,h,i){var f=this.windows[i];if(f){f.element.resizeBy(g,h);f.iframeElement.resizeBy(g,h)}},close:function(i,k){var g=this,f,j=d.doc,h,k;k=g._findId(k||i);if(!g.windows[k]){g.parent(i);return}g.count--;if(g.count==0){d.remove("mceModalBlocker");d.setAttrib(d.doc.body,"aria-hidden","false");g.editor.focus()}if(f=g.windows[k]){g.onClose.dispatch(g);a.remove(j,"mousedown",f.mousedownFunc);a.remove(j,"click",f.clickFunc);a.clear(k);a.clear(k+"_ifr");d.setAttrib(k+"_ifr","src",'javascript:""');f.element.remove();delete g.windows[k];h=g._frontWindow();if(h){g.focus(h.id)}}},_frontWindow:function(){var g,f=0;e(this.windows,function(h){if(h.zIndex>f){g=h;f=h.zIndex}});return g},setTitle:function(f,g){var h;f=this._findId(f);if(h=d.get(f+"_title")){h.innerHTML=d.encode(g)}},alert:function(g,f,j){var i=this,h;h=i.open({title:i,type:"alert",button_func:function(k){if(f){f.call(k||i,k)}i.close(null,h.id)},content:d.encode(i.editor.getLang(g,g)),inline:1,width:400,height:130})},confirm:function(g,f,j){var i=this,h;h=i.open({title:i,type:"confirm",button_func:function(k){if(f){f.call(k||i,k)}i.close(null,h.id)},content:d.encode(i.editor.getLang(g,g)),inline:1,width:400,height:130})},_findId:function(f){var g=this;if(typeof(f)=="string"){return f}e(g.windows,function(h){var i=d.get(h.id+"_ifr");if(i&&f==i.contentWindow){f=h.id;return false}});return f},_fixIELayout:function(i,h){var f,g;if(!tinymce.isIE6){return}e(["n","s","w","e","nw","ne","sw","se"],function(j){var k=d.get(i+"_resize_"+j);d.setStyles(k,{width:h?k.clientWidth:"",height:h?k.clientHeight:"",cursor:d.getStyle(k,"cursor",1)});d.setStyle(i+"_bottom","bottom","-1px");k=0});if(f=this.windows[i]){f.element.hide();f.element.show();e(d.select("div,a",i),function(k,j){if(k.currentStyle.backgroundImage!="none"){g=new Image();g.src=k.currentStyle.backgroundImage.replace(/url\(\"(.+)\"\)/,"$1")}});d.get(i).style.filter=""}}});tinymce.PluginManager.add("inlinepopups",tinymce.plugins.InlinePopups)})();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L5

Insecure DOM Manipulation (XSS) in media.js

CWE-79
File Location: lib/web/tiny_mce/plugins/media/js/media.js:5
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.write('<script language="javascript" type="text/javascript" src="' + tinyMCEPopup.editor.documentBaseURI.toAbsolute(url) + '"></script>');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L74

Insecure DOM Manipulation (XSS) in media.js

CWE-79
File Location: lib/web/tiny_mce/plugins/media/js/media.js:74
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- get('filebrowsercontainer').innerHTML = getBrowserHTML('filebrowser','src','media','media');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L87

Insecure DOM Manipulation (XSS) in media.js

CWE-79
File Location: lib/web/tiny_mce/plugins/media/js/media.js:87
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- get("linklistcontainer").innerHTML = html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L704

Insecure DOM Manipulation (XSS) in editor_plugin_src.js

CWE-79
File Location: lib/web/tiny_mce/plugins/paste/editor_plugin_src.js:704
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var html = span.innerHTML.replace(/<\/?\w+[^>]*>/gi, '');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L719

Insecure DOM Manipulation (XSS) in editor_plugin_src.js

CWE-79
File Location: lib/web/tiny_mce/plugins/paste/editor_plugin_src.js:719
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- html = p.innerHTML.replace(/__MCE_ITEM__/g, '').replace(/^\s*\w+\.(&nbsp;|\u00a0)+\s*/, '');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L732

Insecure DOM Manipulation (XSS) in editor_plugin_src.js

CWE-79
File Location: lib/web/tiny_mce/plugins/paste/editor_plugin_src.js:732
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- html = o.node.innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L274

Insecure DOM Manipulation (XSS) in editor_plugin_src.js

CWE-79
File Location: lib/web/tiny_mce/plugins/spellchecker/editor_plugin_src.js:274
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elem.innerHTML = v.replace(rx, '$1<span class="mceItemHiddenSpellWord">$2</span>');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L41

Insecure DOM Manipulation (XSS) in props.js

CWE-79
File Location: lib/web/tiny_mce/plugins/style/js/props.js:41
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('border_color_right_pickcontainer').innerHTML = getColorPickerHTML('border_color_right_pick','border_color_right');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L11

Insecure DOM Manipulation (XSS) in cell.js

CWE-79
File Location: lib/web/tiny_mce/plugins/table/js/cell.js:11
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('bgcolor_pickcontainer').innerHTML = getColorPickerHTML('bgcolor_pick','bgcolor')
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L5743

Insecure DOM Manipulation (XSS) in tiny_mce_prototype_src.js

CWE-79
File Location: lib/web/tiny_mce/tiny_mce_prototype_src.js:5743
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- element.innerHTML = element.innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L7492

Insecure DOM Manipulation (XSS) in tiny_mce_prototype_src.js

CWE-79
File Location: lib/web/tiny_mce/tiny_mce_prototype_src.js:7492
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- e.innerHTML = '<br>' + (r.item ? r.item(0).outerHTML : r.htmlText);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L14300

Insecure DOM Manipulation (XSS) in tiny_mce_prototype_src.js

CWE-79
File Location: lib/web/tiny_mce/tiny_mce_prototype_src.js:14300
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- e.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L4289

Insecure DOM Manipulation (XSS) in tiny_mce_src.js

CWE-79
File Location: lib/web/tiny_mce/tiny_mce_src.js:4289
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- element.innerHTML = html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L6836

Insecure DOM Manipulation (XSS) in tiny_mce_src.js

CWE-79
File Location: lib/web/tiny_mce/tiny_mce_src.js:6836
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = "<p class='TEST'></p>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L14128

Insecure DOM Manipulation (XSS) in tiny_mce_src.js

CWE-79
File Location: lib/web/tiny_mce/tiny_mce_src.js:14128
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- sn.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L14298

Insecure DOM Manipulation (XSS) in tiny_mce_src.js

CWE-79
File Location: lib/web/tiny_mce/tiny_mce_src.js:14298
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- e.innerHTML = isOpera ? '\u00a0' : '<br />'; // Extra space for Opera so that the caret can move there
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L123

Insecure DOM Manipulation (XSS) in direct-post.js

CWE-79
File Location: app/code/Magento/Authorizenet/view/adminhtml/web/js/direct-post.js:123
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var data = $('order-' + this.iframeId).contentWindow.document.body.getElementsByTagName('pre')[0].innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L555

Insecure DOM Manipulation (XSS) in scripts.js

CWE-79
File Location: app/code/Magento/Sales/view/adminhtml/web/order/create/scripts.js:555
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- priceColl.innerHTML = this.currencySymbol + productPrice.toFixed(2);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L724

Insecure DOM Manipulation (XSS) in qunit-1.14.0.js

CWE-79
File Location: dev/tests/js/JsTestDriver/framework/qunit/qunit-1.14.0.js:724
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- urlConfigContainer.innerHTML = urlConfigHtml;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L6364

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: lib/web/jquery.js:6364
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elem.innerHTML = value;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L12536

Insecure DOM Manipulation (XSS) in jquery-ui.js

CWE-79
File Location: lib/web/jquery/jquery-ui.js:12536
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- testElement.innerHTML = "";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L100

Insecure DOM Manipulation (XSS) in knockout.js

CWE-79
File Location: lib/web/knockoutjs/knockout.js:100
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = '<!--[if gt IE ' + (++version) + ']><i></i><![endif]-->',
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L308

Insecure DOM Manipulation (XSS) in window.js

CWE-79
File Location: lib/web/prototype/window.js:308
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.getContent().innerHTML = html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L233

Insecure DOM Manipulation (XSS) in ForceBlocks.js

CWE-79
File Location: lib/web/tiny_mce/classes/ForceBlocks.js:233
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- parent.innerHTML = '\uFEFF';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L147

Insecure DOM Manipulation (XSS) in Selection.js

CWE-79
File Location: lib/web/tiny_mce/classes/dom/Selection.js:147
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- e.innerHTML = r.toString();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L227

Insecure DOM Manipulation (XSS) in TridentSelection.js

CWE-79
File Location: lib/web/tiny_mce/classes/dom/TridentSelection.js:227
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- element2.innerHTML = element2.innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L68

Insecure DOM Manipulation (XSS) in image.js

CWE-79
File Location: lib/web/tiny_mce/plugins/advimage/js/image.js:68
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('onmouseoversrccontainer').innerHTML = getBrowserHTML('overbrowser','onmouseoversrc','image','theme_advanced_image');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L73

Insecure DOM Manipulation (XSS) in image.js

CWE-79
File Location: lib/web/tiny_mce/plugins/advimage/js/image.js:73
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('onmouseoutsrccontainer').innerHTML = getBrowserHTML('outbrowser','onmouseoutsrc','image','theme_advanced_image');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1

Insecure DOM Manipulation (XSS) in editor_plugin.js

CWE-79
File Location: lib/web/tiny_mce/plugins/layer/editor_plugin.js:1
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- (function(){function a(b){do{if(b.className&&b.className.indexOf("mceItemLayer")!=-1){return b}}while(b=b.parentNode)}tinymce.create("tinymce.plugins.Layer",{init:function(b,c){var d=this;d.editor=b;b.addCommand("mceInsertLayer",d._insertLayer,d);b.addCommand("mceMoveForward",function(){d._move(1)});b.addCommand("mceMoveBackward",function(){d._move(-1)});b.addCommand("mceMakeAbsolute",function(){d._toggleAbsolute()});b.addButton("moveforward",{title:"layer.forward_desc",cmd:"mceMoveForward"});b.addButton("movebackward",{title:"layer.backward_desc",cmd:"mceMoveBackward"});b.addButton("absolute",{title:"layer.absolute_desc",cmd:"mceMakeAbsolute"});b.addButton("insertlayer",{title:"layer.insertlayer_desc",cmd:"mceInsertLayer"});b.onInit.add(function(){var e=b.dom;if(tinymce.isIE){b.getDoc().execCommand("2D-Position",false,true)}});b.onMouseUp.add(function(f,h){var g=a(h.target);if(g){f.dom.setAttrib(g,"data-mce-style","")}});b.onMouseDown.add(function(f,j){var h=j.target,i=f.getDoc(),g;if(tinymce.isGecko){if(a(h)){if(i.designMode!=="on"){i.designMode="on";h=i.body;g=h.parentNode;g.removeChild(h);g.appendChild(h)}}else{if(i.designMode=="on"){i.designMode="off"}}}});b.onNodeChange.add(d._nodeChange,d);b.onVisualAid.add(d._visualAid,d)},getInfo:function(){return{longname:"Layer",author:"Moxiecode Systems AB",authorurl:"http://tinymce.moxiecode.com",infourl:"http://wiki.moxiecode.com/index.php/TinyMCE:Plugins/layer",version:tinymce.majorVersion+"."+tinymce.minorVersion}},_nodeChange:function(c,b,f){var d,e;d=this._getParentLayer(f);e=c.dom.getParent(f,"DIV,P,IMG");if(!e){b.setDisabled("absolute",1);b.setDisabled("moveforward",1);b.setDisabled("movebackward",1)}else{b.setDisabled("absolute",0);b.setDisabled("moveforward",!d);b.setDisabled("movebackward",!d);b.setActive("absolute",d&&d.style.position.toLowerCase()=="absolute")}},_visualAid:function(b,d,c){var f=b.dom;tinymce.each(f.select("div,p",d),function(g){if(/^(absolute|relative|fixed)$/i.test(g.style.position)){if(c){f.addClass(g,"mceItemVisualAid")}else{f.removeClass(g,"mceItemVisualAid")}f.addClass(g,"mceItemLayer")}})},_move:function(j){var c=this.editor,g,h=[],f=this._getParentLayer(c.selection.getNode()),e=-1,k=-1,b;b=[];tinymce.walk(c.getBody(),function(d){if(d.nodeType==1&&/^(absolute|relative|static)$/i.test(d.style.position)){b.push(d)}},"childNodes");for(g=0;g<b.length;g++){h[g]=b[g].style.zIndex?parseInt(b[g].style.zIndex):0;if(e<0&&b[g]==f){e=g}}if(j<0){for(g=0;g<h.length;g++){if(h[g]<h[e]){k=g;break}}if(k>-1){b[e].style.zIndex=h[k];b[k].style.zIndex=h[e]}else{if(h[e]>0){b[e].style.zIndex=h[e]-1}}}else{for(g=0;g<h.length;g++){if(h[g]>h[e]){k=g;break}}if(k>-1){b[e].style.zIndex=h[k];b[k].style.zIndex=h[e]}else{b[e].style.zIndex=h[e]+1}}c.execCommand("mceRepaint")},_getParentLayer:function(b){return this.editor.dom.getParent(b,function(c){return c.nodeType==1&&/^(absolute|relative|static)$/i.test(c.style.position)})},_insertLayer:function(){var c=this.editor,e=c.dom,d=e.getPos(e.getParent(c.selection.getNode(),"*")),b=c.getBody();c.dom.add(b,"div",{style:{position:"absolute",left:d.x,top:(d.y>20?d.y:20),width:100,height:100},"class":"mceItemVisualAid mceItemLayer"},c.selection.getContent()||c.getLang("layer.content"));if(tinymce.isIE){e.setHTML(b,b.innerHTML)}},_toggleAbsolute:function(){var b=this.editor,c=this._getParentLayer(b.selection.getNode());if(!c){c=b.dom.getParent(b.selection.getNode(),"DIV,P,IMG")}if(c){if(c.style.position.toLowerCase()=="absolute"){b.dom.setStyles(c,{position:"",left:"",top:"",width:"",height:""});b.dom.removeClass(c,"mceItemVisualAid");b.dom.removeClass(c,"mceItemLayer")}else{if(c.style.left==""){c.style.left=20+"px"}if(c.style.top==""){c.style.top=20+"px"}if(c.style.width==""){c.style.width=c.width?(c.width+"px"):"100px"}if(c.style.height==""){c.style.height=c.height?(c.height+"px"):"100px"}c.style.position="absolute";b.dom.setAttrib(c,"data-mce-style","");b.addVisual(b.getBody())}b.execCommand("mceRepaint");b.nodeChanged()}}});tinymce.PluginManager.add("layer",tinymce.plugins.Layer)})();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L76

Insecure DOM Manipulation (XSS) in media.js

CWE-79
File Location: lib/web/tiny_mce/plugins/media/js/media.js:76
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- get('bgcolor_pickcontainer').innerHTML = getColorPickerHTML('bgcolor_pick','bgcolor');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L713

Insecure DOM Manipulation (XSS) in editor_plugin_src.js

CWE-79
File Location: lib/web/tiny_mce/plugins/paste/editor_plugin_src.js:713
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- html = p.innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L717

Insecure DOM Manipulation (XSS) in editor_plugin_src.js

CWE-79
File Location: lib/web/tiny_mce/plugins/paste/editor_plugin_src.js:717
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- html = p.innerHTML.replace(/__MCE_ITEM__/g, '').replace(/^[\u2022\u00b7\u00a7\u00d8o\u25CF]\s*(&nbsp;|\u00a0)+\s*/, '');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L360

Insecure DOM Manipulation (XSS) in editor_plugin_src.js

CWE-79
File Location: lib/web/tiny_mce/plugins/spellchecker/editor_plugin_src.js:360
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var word = wordSpan.innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L36

Insecure DOM Manipulation (XSS) in props.js

CWE-79
File Location: lib/web/tiny_mce/plugins/style/js/props.js:36
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById("background_image_browser").innerHTML = h;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L6

Insecure DOM Manipulation (XSS) in row.js

CWE-79
File Location: lib/web/tiny_mce/plugins/table/js/row.js:6
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('backgroundimagebrowsercontainer').innerHTML = getBrowserHTML('backgroundimagebrowser','backgroundimage','image','table');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L361

Insecure DOM Manipulation (XSS) in charmap.js

CWE-79
File Location: lib/web/tiny_mce/themes/advanced/js/charmap.js:361
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elmA.innerHTML = '&amp;' + codeB;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L8

Insecure DOM Manipulation (XSS) in link.js

CWE-79
File Location: lib/web/tiny_mce/themes/advanced/js/link.js:8
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.write('<script language="javascript" type="text/javascript" src="' + tinyMCEPopup.editor.documentBaseURI.toAbsolute(url) + '"></script>');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1547

Insecure DOM Manipulation (XSS) in tiny_mce_jquery_src.js

CWE-79
File Location: lib/web/tiny_mce/tiny_mce_jquery_src.js:1547
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elm.innerHTML = text;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L13474

Insecure DOM Manipulation (XSS) in tiny_mce_jquery_src.js

CWE-79
File Location: lib/web/tiny_mce/tiny_mce_jquery_src.js:13474
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- e.innerHTML = isOpera ? '\u00a0' : '<br />'; // Extra space for Opera so that the caret can move there
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L14012

Insecure DOM Manipulation (XSS) in tiny_mce_prototype_src.js

CWE-79
File Location: lib/web/tiny_mce/tiny_mce_prototype_src.js:14012
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- parent.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L13442

Insecure DOM Manipulation (XSS) in tiny_mce_src.js

CWE-79
File Location: lib/web/tiny_mce/tiny_mce_src.js:13442
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- value = parentNode == rootNode ? rootNode.innerHTML : dom.getOuterHTML(parentNode);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L13992

Insecure DOM Manipulation (XSS) in tiny_mce_src.js

CWE-79
File Location: lib/web/tiny_mce/tiny_mce_src.js:13992
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- parent.innerHTML = '\uFEFF';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L2265

Insecure DOM Manipulation (XSS) in angular.js

CWE-79
File Location: setup/pub/angular/angular.js:2265
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmp.innerHTML = '<div>&#160;</div>' +
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L146

Insecure DOM Manipulation (XSS) in angular.min.js

CWE-79
File Location: setup/pub/angular/angular.min.js:146
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- c.push(a.value||a.text)});return 0===c.length?null:c}return b.value}b.value=a},html:function(b,a){if(H(a))return b.innerHTML;for(var c=0,d=b.childNodes;c<d.length;c++)Ga(d[c]);b.innerHTML=a},empty:oc},function(b,a){M.prototype[a]=function(a,d){var e,g;if(b!==oc&&(2==b.length&&b!==Ib&&b!==nc?a:d)===s){if(X(a)){for(e=0;e<this.length;e++)if(b===mc)b(this[e],a);else for(g in a)b(this[e],g,a[g]);return this}e=b.$dv;g=e===s?Math.min(this.length,1):this.length;for(var f=0;f<g;f++){var h=b(this[f],a,d);e=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L365

Insecure DOM Manipulation (XSS) in configurable.js

CWE-79
File Location: app/code/Magento/ConfigurableProduct/view/frontend/web/js/configurable.js:365
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- element.options[0].innerHTML = this.options.spConfig.chooseText;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L315

Insecure DOM Manipulation (XSS) in rules.js

CWE-79
File Location: app/code/Magento/Rule/view/adminhtml/web/rules.js:315
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- new_elem.innerHTML = jQuery.mage.__('This won\'t take long . . .');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L217

Insecure DOM Manipulation (XSS) in packaging.js

CWE-79
File Location: app/code/Magento/Shipping/view/adminhtml/web/order/packaging.js:217
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.messages.show().innerHTML = response.message;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L254

Insecure DOM Manipulation (XSS) in swagger-oauth.js

CWE-79
File Location: app/code/Magento/Swagger/view/frontend/web/swagger-ui/js/lib/swagger-oauth.js:254
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var inner = v1.innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L29

Insecure DOM Manipulation (XSS) in bind-html.js

CWE-79
File Location: app/code/Magento/Ui/view/base/web/js/lib/knockout/bindings/bind-html.js:29
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L748

Insecure DOM Manipulation (XSS) in qunit-1.14.0.js

CWE-79
File Location: dev/tests/js/JsTestDriver/framework/qunit/qunit-1.14.0.js:748
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- moduleFilter.innerHTML = moduleFilterHtml;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1202

Insecure DOM Manipulation (XSS) in qunit-1.14.0.js

CWE-79
File Location: dev/tests/js/JsTestDriver/framework/qunit/qunit-1.14.0.js:1202
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- b.innerHTML = this.nameHtml;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output