Back to Codebase

Vulnerability Analysis Report

Magento Luma Default Theme v0.1.0-alpha94

Scan ID: SCAN-MAGENTO-LUMA-O5WRoj • Hash: e9729543

Severity Score
Critical
Total Findings
100
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.879s

Vulnerability Details

L86

Dynamic Code Execution in Csv.php

CWE-94
File Location: dev/tools/Magento/Tools/I18n/Code/Dictionary/Writer/Csv.php:86
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $result = @eval($evalString);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L435

Dynamic Code Execution in Redis.php

CWE-94
File Location: lib/internal/Cm/Cache/Backend/Redis.php:435
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->_redis->eval($script, $pTags, $sArgs);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L483

Dynamic Code Execution in Filesystem.php

CWE-94
File Location: lib/internal/Magento/Framework/Data/Collection/Filesystem.php:483
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval('$result = ' . $this->_filterEvalRendered . ';');
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L917

Dynamic Code Execution in PEAR.php

CWE-94
File Location: lib/internal/PEAR/PEAR.php:917
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval('$e = new Exception($this->message, $this->code);throw($e);');
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L56

Dynamic Code Execution in Client.php

CWE-94
File Location: lib/internal/PEAR/SOAP/Client.php:56
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval('
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L56

Dynamic Code Execution in DumperTest.php

CWE-94
File Location: lib/internal/Symfony/Component/Yaml/Tests/DumperTest.php:56
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $expected = eval('return '.trim($test['php']).';');
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L1129

Dynamic Code Execution in Acl.php

CWE-94
File Location: lib/internal/Zend/Acl.php:1129
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $assertionValue = $assertion->assert(
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L92

Dynamic Code Execution in AssertTaxRuleApplying.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Tax/Test/Constraint/AssertTaxRuleApplying.php:92
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- abstract protected function assert();
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L12

Dynamic Code Execution in prohibited_statement.php

CWE-94
File Location: dev/tests/static/testsuite/Magento/Test/Php/Exemplar/CodeMessTest/phpmd/input/prohibited_statement.php:12
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return eval($expression);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L521

Dynamic Code Execution in Redis.php

CWE-94
File Location: lib/internal/Cm/Cache/Backend/Redis.php:521
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->_redis->eval($script, $tagsBatch, $sArgs);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L54

Dynamic Code Execution in Client.php

CWE-94
File Location: lib/internal/PEAR/SOAP/Client.php:54
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval('function clone($t) { return $t; }');
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L789

Dynamic Code Execution in WSDL.php

CWE-94
File Location: lib/internal/PEAR/SOAP/WSDL.php:789
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval($proxy);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L65

Dynamic Code Execution in ParserTest.php

CWE-94
File Location: lib/internal/Symfony/Component/Yaml/Tests/ParserTest.php:65
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $expected = var_export(eval('return '.trim($test['php']).';'), true);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L59

Dynamic Code Execution in PhpCode.php

CWE-94
File Location: lib/internal/Zend/Serializer/Adapter/PhpCode.php:59
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $eval = @eval('$ret=' . $code . ';');
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L44

Dynamic Code Execution in AssertTaxRuleIsNotApplied.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Tax/Test/Constraint/AssertTaxRuleIsNotApplied.php:44
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- protected function assert()
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L266

Dynamic Code Execution in Redis.php

CWE-94
File Location: lib/internal/Cm/Cache/Backend/Redis.php:266
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $res = $this->_redis->eval($script, $tags, $sArgs);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L62

Dynamic Code Execution in Interface.php

CWE-94
File Location: lib/internal/Zend/Acl/Assert/Interface.php:62
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null,
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L167

Dynamic Code Execution in AssertTaxRuleApplying.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Tax/Test/Constraint/AssertTaxRuleApplying.php:167
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->assert();
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L44

Dynamic Code Execution in AssertTaxRuleIsApplied.php

CWE-94
File Location: dev/tests/functional/tests/app/Magento/Tax/Test/Constraint/AssertTaxRuleIsApplied.php:44
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- protected function assert()
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L917

Dynamic Code Execution in PEAR.php

CWE-94
File Location: lib/internal/PEAR/PEAR/PEAR.php:917
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval('$e = new Exception($this->message, $this->code);throw($e);');
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L49

Cross-Site Scripting (XSS) in install.php

CWE-79
File Location: dev/shell/install.php:49
Security Score:
85 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo ' php -f ' . $_SERVER['argv'][0] . ' -- --' . $option . PHP_EOL;
+ echo htmlspecialchars(' php -f ' . $_SERVER['argv'][0] . ' -- --' . $option . PHP_EOL, ENT_QUOTES, "UTF-8");
L80

Cross-Site Scripting (XSS) in install.php

CWE-79
File Location: dev/shell/install.php:80
Security Score:
81 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo ' php -f ' . $_SERVER['argv'][0] . ' --';
+ echo htmlspecialchars(' php -f ' . $_SERVER['argv'][0] . ' --', ENT_QUOTES, "UTF-8");
L390

Insecure DOM Manipulation (XSS) in configure.js

CWE-79
File Location: app/code/Magento/Catalog/view/adminhtml/web/catalog/product/composite/configure.js:390
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.blockMsgError.innerHTML = response.message;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L502

Insecure DOM Manipulation (XSS) in scripts.js

CWE-79
File Location: app/code/Magento/Sales/view/adminhtml/web/order/create/scripts.js:502
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var priceBase = priceColl.innerHTML.match(/.*?([\d,]+\.?\d*)/);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1069

Insecure DOM Manipulation (XSS) in effects.js

CWE-79
File Location: lib/web/extjs/adapter/prototype/effects.js:1069
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- element.innerHTML = '<div style="' + this + '"></div>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1558

Insecure DOM Manipulation (XSS) in prototype.js

CWE-79
File Location: lib/web/extjs/adapter/prototype/prototype.js:1558
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = '<table><tbody>' + html.stripScripts() + '</tbody></table>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L110

Insecure DOM Manipulation (XSS) in ext-all-debug.js

CWE-79
File Location: lib/web/extjs/ext-all-debug.js:110
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tempTableEl.innerHTML = [s, h, e].join('');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L29914

Insecure DOM Manipulation (XSS) in ext-all-debug.js

CWE-79
File Location: lib/web/extjs/ext-all-debug.js:29914
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- s+='&gt;<em>' + ellipsis(html(String(n.innerHTML)), 35) + '</em>&lt;/'+tag+'&gt;';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L35

Insecure DOM Manipulation (XSS) in ext-all.js

CWE-79
File Location: lib/web/extjs/ext-all.js:35
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var range=el.ownerDocument.createRange();var frag;switch(where){case"beforebegin":range.setStartBefore(el);frag=range.createContextualFragment(html);el.parentNode.insertBefore(frag,el);return el.previousSibling;case"afterbegin":if(el.firstChild){range.setStartBefore(el.firstChild);frag=range.createContextualFragment(html);el.insertBefore(frag,el.firstChild);return el.firstChild;}else{el.innerHTML=html;return el.firstChild;}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1476

Insecure DOM Manipulation (XSS) in ext-all.js

CWE-79
File Location: lib/web/extjs/ext-all.js:1476
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- ts.innerHTML=v;var h=Math.min(this.growMax,Math.max(ts.offsetHeight,this.growMin));if(h!=this.lastHeight){this.lastHeight=h;this.el.setHeight(h);this.fireEvent("autosize",this,h);}},setValue:function(v){Ext.form.TextArea.superclass.setValue.call(this,v);this.autoSize();}});
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1672

Insecure DOM Manipulation (XSS) in ext-all.js

CWE-79
File Location: lib/web/extjs/ext-all.js:1672
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- if((!c.titlebar&&!c.title)||c.titlebar===false){this.titleEl.hide();}else{this.titleEl.show();if(c.title){this.titleTextEl.innerHTML=c.title;}}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1769

Insecure DOM Manipulation (XSS) in ext-all.js

CWE-79
File Location: lib/web/extjs/ext-all.js:1769
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var size=this.adjustForComponents(width,height);this.resizeEl.setSize(this.autoWidth?"auto":size.width,this.autoHeight?"auto":size.height);this.fireEvent('resize',this,size.width,size.height);}},getTitle:function(){return this.title;},setTitle:function(title){this.title=title;if(this.region){this.region.updatePanelTitle(this,title);}},isClosable:function(){return this.closable;},beforeSlide:function(){this.el.clip();this.resizeEl.clip();},afterSlide:function(){this.el.unclip();this.resizeEl.unclip();},refresh:function(){if(this.refreshDelegate){this.loaded=false;this.refreshDelegate();}},destroy:function(){this.el.removeAllListeners();var tempEl=document.createElement("span");tempEl.appendChild(this.el.dom);tempEl.innerHTML="";this.el.remove();this.el=null;}});Ext.GridPanel=function(grid,config){this.wrapper=Ext.DomHelper.append(document.body,{tag:"div",cls:"x-layout-grid-wrapper x-layout-inactive-content"},true);this.wrapper.dom.appendChild(grid.getGridEl().dom);Ext.GridPanel.superclass.constructor.call(this,this.wrapper,config);if(this.toolbar){this.toolbar.el.insertBefore(this.wrapper.dom.firstChild);}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1869

Insecure DOM Manipulation (XSS) in ext-all.js

CWE-79
File Location: lib/web/extjs/ext-all.js:1869
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var cm=this.grid.colModel;var cell=this.getCell(rowIndex,colIndex);var cellText=this.getCellText(rowIndex,colIndex);var p={cellId:"x-grid-cell-"+rowIndex+"-"+colIndex,id:cm.getColumnId(colIndex),css:colIndex==cm.getColumnCount()-1?"x-grid-col-last":""};var renderer=cm.getRenderer(colIndex);var val=renderer(dm.getValueAt(rowIndex,dataIndex),p,rowIndex,colIndex,dm);if(typeof val=="undefined"||val==="")val="&#160;";cellText.innerHTML=val;cell.className=this.cellClass+" "+p.cellId+" "+p.css;this.syncRowHeights(rowIndex,rowIndex);},calcColumnWidth:function(colIndex,maxRowsToMeasure){var maxWidth=0;if(this.grid.autoSizeHeaders){var h=this.getHeaderCellMeasure(colIndex);maxWidth=Math.max(maxWidth,h.scrollWidth);}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L110

Insecure DOM Manipulation (XSS) in ext-core-debug.js

CWE-79
File Location: lib/web/extjs/ext-core-debug.js:110
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tempTableEl.innerHTML = [s, h, e].join('');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L237

Insecure DOM Manipulation (XSS) in ext-tree.js

CWE-79
File Location: lib/web/extjs/ext-tree.js:237
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- Ext.form.Field=function(_1){Ext.form.Field.superclass.constructor.call(this,_1);this.addEvents({focus:true,blur:true,specialkey:true,change:true,invalid:true,valid:true});};Ext.extend(Ext.form.Field,Ext.Component,{invalidClass:"x-form-invalid",invalidText:"The value in this field is invalid",focusClass:"x-form-focus",validationEvent:"keyup",validateOnBlur:true,validationDelay:250,defaultAutoCreate:{tag:"input",type:"text",size:"20",autocomplete:"off"},fieldClass:"x-form-field",msgTarget:"qtip",msgFx:"normal",inputType:undefined,isFormField:true,hasFocus:false,value:undefined,getName:function(){return this.rendered&&this.el.dom.name?this.el.dom.name:(this.hiddenName||"");},applyTo:function(_2){this.target=_2;this.el=Ext.get(_2);this.render(this.el.dom.parentNode);return this;},onRender:function(ct,_4){if(this.el){this.el=Ext.get(this.el);if(!this.target){ct.dom.appendChild(this.el.dom);}}else{var _5=this.getAutoCreate();if(!_5.name){_5.name=this.name||this.id;}if(this.inputType){_5.type=this.inputType;}if(this.tabIndex!==undefined){_5.tabIndex=this.tabIndex;}this.el=ct.createChild(_5,_4);}var _6=this.el.dom.type;if(_6){if(_6=="password"){_6="text";}this.el.addClass("x-form-"+_6);}if(!this.customSize&&(this.width||this.height)){this.setSize(this.width||"",this.height||"");}if(this.readOnly){this.el.dom.readOnly=true;}this.el.addClass([this.fieldClass,this.cls]);this.initValue();},initValue:function(){if(this.value!==undefined){this.setValue(this.value);}else{if(this.el.dom.value.length>0){this.setValue(this.el.dom.value);}}},afterRender:function(){Ext.form.Field.superclass.afterRender.call(this);this.initEvents();},fireKey:function(e){if(e.isNavKeyPress()){this.fireEvent("specialkey",this,e);}},reset:function(){this.setValue(this.originalValue);this.clearInvalid();},initEvents:function(){this.el.on(Ext.isIE?"keydown":"keypress",this.fireKey,this);this.el.on("focus",this.onFocus,this);this.el.on("blur",this.onBlur,this);this.originalValue=this.getValue();},onFocus:function(){if(!Ext.isOpera){this.el.addClass(this.focusClass);}this.hasFocus=true;this.startValue=this.getValue();this.fireEvent("focus",this);},onBlur:function(){this.el.removeClass(this.focusClass);this.hasFocus=false;if(this.validationEvent!==false&&this.validateOnBlur&&this.validationEvent!="blur"){this.validate();}var v=this.getValue();if(v!=this.startValue){this.fireEvent("change",this,v,this.startValue);}this.fireEvent("blur",this);},setSize:function(w,h){if(!this.rendered||!this.el){this.width=w;this.height=h;return;}if(w){w=this.adjustWidth(this.el.dom.tagName,w);this.el.setWidth(w);}if(h){this.el.setHeight(h);}var h=this.el.dom.offsetHeight;},isValid:function(_b){if(this.disabled){return true;}var _c=this.preventMark;this.preventMark=_b===true;var v=this.validateValue(this.getRawValue());this.preventMark=_c;return v;},validate:function(){if(this.disabled||this.validateValue(this.getRawValue())){this.clearInvalid();return true;}return false;},validateValue:function(_e){return true;},markInvalid:function(_f){if(!this.rendered||this.preventMark){return;}this.el.addClass(this.invalidClass);_f=_f||this.invalidText;switch(this.msgTarget){case "qtip":this.el.dom.qtip=_f;this.el.dom.qclass="x-form-invalid-tip";break;case "title":this.el.dom.title=_f;break;case "under":if(!this.errorEl){var elp=this.el.findParent(".x-form-element",5,true);this.errorEl=elp.createChild({cls:"x-form-invalid-msg"});this.errorEl.setWidth(elp.getWidth(true)-20);}this.errorEl.update(_f);Ext.form.Field.msgFx[this.msgFx].show(this.errorEl,this);break;case "side":if(!this.errorIcon){var elp=this.el.findParent(".x-form-element",5,true);this.errorIcon=elp.createChild({cls:"x-form-invalid-icon"});}this.alignErrorIcon();this.errorIcon.dom.qtip=_f;this.errorIcon.dom.qclass="x-form-invalid-tip";this.errorIcon.show();break;default:var t=Ext.getDom(this.msgTarget);t.innerHTML=_f;t.style.display=this.msgDisplay;break;}this.fireEvent("invalid",this,_f);},alignErrorIcon:function(){this.errorIcon.alignTo(this.el,"tl-tr",[2,0]);},clearInvalid:function(){if(!this.rendered||this.preventMark){return;}this.el.removeClass(this.invalidClass);switch(this.msgTarget){case "qtip":this.el.dom.qtip="";break;case "title":this.el.dom.title="";break;case "under":if(this.errorEl){Ext.form.Field.msgFx[this.msgFx].hide(this.errorEl,this);}break;case "side":if(this.errorIcon){this.errorIcon.dom.qtip="";this.errorIcon.hide();}break;default:var t=Ext.getDom(this.msgTarget);t.innerHTML="";t.style.display="none";break;}this.fireEvent("valid",this);},getRawValue:function(){return this.el.getValue();},getValue:function(){var v=this.el.getValue();if(v==this.emptyText||v===undefined){v="";}return v;},setRawValue:function(v){return this.el.dom.value=v;},setValue:function(v){this.value=v;if(this.rendered){this.el.dom.value=v;this.validate();}},adjustWidth:function(tag,w){tag=tag.toLowerCase();if(typeof w=="number"&&Ext.isStrict&&!Ext.isSafari){if(Ext.isIE&&(tag=="input"||tag=="textarea")){if(tag=="input"){return w+2;}if(tag="textarea"){return w-2;}}else{if(Ext.isGecko&&tag=="textarea"){return w-6;}else{if(Ext.isOpera){if(tag=="input"){return w+2;}if(tag="textarea"){return w-2;}}}}}return w;}});Ext.form.Field.msgFx={normal:{show:function(_18,f){_18.setDisplayed("block");},hide:function(_1a,f){_1a.setDisplayed(false).update("");}},slide:{show:function(_1c,f){_1c.slideIn("t",{stopFx:true});},hide:function(_1e,f){_1e.slideOut("t",{stopFx:true,useDisplay:true});}},slideRight:{show:function(_20,f){_20.fixDisplay();_20.alignTo(f.el,"tl-tr");_20.slideIn("l",{stopFx:true});},hide:function(_22,f){_22.slideOut("l",{stopFx:true,useDisplay:true});}}};
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1439

Insecure DOM Manipulation (XSS) in jquery-1.8.2.js

CWE-79
File Location: lib/web/jquery/jquery-1.8.2.js:1439
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = "<table><tr><td></td><td>t</td></tr></table>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L12539

Insecure DOM Manipulation (XSS) in jquery-ui.js

CWE-79
File Location: lib/web/jquery/jquery-ui.js:12539
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- testElement.innerHTML = "";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L4146

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: lib/web/jquery/jquery.js:4146
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = " <link/><table></table><a href='/a'>a</a>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L2817

Insecure DOM Manipulation (XSS) in prototype.js

CWE-79
File Location: lib/web/prototype/prototype.js:2817
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = '&nbsp;' + t[0] + html + t[1];
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L4784

Insecure DOM Manipulation (XSS) in prototype.js

CWE-79
File Location: lib/web/prototype/prototype.js:4784
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = "<p class='TEST'></p>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1141

Insecure DOM Manipulation (XSS) in window.js

CWE-79
File Location: lib/web/prototype/window.js:1141
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- win.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1061

Insecure DOM Manipulation (XSS) in effects.js

CWE-79
File Location: lib/web/scriptaculous/effects.js:1061
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- String.__parseStyleElement.innerHTML = '<div style="' + this + '"></div>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L201

Insecure DOM Manipulation (XSS) in Selection.js

CWE-79
File Location: lib/web/tiny_mce/classes/dom/Selection.js:201
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- doc.body.innerHTML = content;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L48

Insecure DOM Manipulation (XSS) in Entities.js

CWE-79
File Location: lib/web/tiny_mce/classes/html/Entities.js:48
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elm.innerHTML = text;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L8

Insecure DOM Manipulation (XSS) in image.js

CWE-79
File Location: lib/web/tiny_mce/plugins/advimage/js/image.js:8
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.write('<script language="javascript" type="text/javascript" src="' + tinyMCEPopup.editor.documentBaseURI.toAbsolute(url) + '"></script>');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L200

Insecure DOM Manipulation (XSS) in editor_plugin_src.js

CWE-79
File Location: lib/web/tiny_mce/plugins/paste/editor_plugin_src.js:200
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- if (n.innerHTML === '\uFEFF\uFEFF') {
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L704

Insecure DOM Manipulation (XSS) in editor_plugin_src.js

CWE-79
File Location: lib/web/tiny_mce/plugins/paste/editor_plugin_src.js:704
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var html = span.innerHTML.replace(/<\/?\w+[^>]*>/gi, '');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L10

Insecure DOM Manipulation (XSS) in cell.js

CWE-79
File Location: lib/web/tiny_mce/plugins/table/js/cell.js:10
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('bordercolor_pickcontainer').innerHTML = getColorPickerHTML('bordercolor_pick','bordercolor');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L95

Insecure DOM Manipulation (XSS) in table.js

CWE-79
File Location: lib/web/tiny_mce/plugins/table/js/table.js:95
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- capEl.innerHTML = '<br data-mce-bogus="1"/>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L93

Insecure DOM Manipulation (XSS) in editor_plugin_src.js

CWE-79
File Location: lib/web/tiny_mce/plugins/template/editor_plugin_src.js:93
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- n.innerHTML = t._getDateTime(new Date(), ed.getParam("template_mdate_format", ed.getLang("template.mdate_format")));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L67

Insecure DOM Manipulation (XSS) in template.js

CWE-79
File Location: lib/web/tiny_mce/plugins/template/js/template.js:67
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('tmpldesc').innerHTML = tsrc[x].description || '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L56

Insecure DOM Manipulation (XSS) in about.js

CWE-79
File Location: lib/web/tiny_mce/themes/advanced/js/about.js:56
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tcont.innerHTML = html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L134

Insecure DOM Manipulation (XSS) in color_picker.js

CWE-79
File Location: lib/web/tiny_mce/themes/advanced/js/color_picker.js:134
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById("colorname").innerHTML = name;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L172

Insecure DOM Manipulation (XSS) in configurable.js

CWE-79
File Location: app/code/Magento/ConfigurableProduct/view/adminhtml/web/js/configurable.js:172
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- element.options[0].innerHTML = this.config.chooseText;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L296

Insecure DOM Manipulation (XSS) in configurable.js

CWE-79
File Location: app/code/Magento/ConfigurableProduct/view/adminhtml/web/js/configurable.js:296
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $('product-price-'+this.config.productId).innerHTML = price;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L309

Insecure DOM Manipulation (XSS) in configurable.js

CWE-79
File Location: app/code/Magento/ConfigurableProduct/view/frontend/web/js/configurable.js:309
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- element.options[0].innerHTML = this.options.spConfig.chooseText;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L345

Insecure DOM Manipulation (XSS) in qunit-1.14.0.js

CWE-79
File Location: dev/tests/js/framework/qunit/qunit-1.14.0.js:345
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- qunit.innerHTML =
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L672

Insecure DOM Manipulation (XSS) in qunit-1.14.0.js

CWE-79
File Location: dev/tests/js/framework/qunit/qunit-1.14.0.js:672
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- userAgent.innerHTML = navigator.userAgent;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1206

Insecure DOM Manipulation (XSS) in qunit-1.14.0.js

CWE-79
File Location: dev/tests/js/framework/qunit/qunit-1.14.0.js:1206
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- a.innerHTML = "Rerun";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L469

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: lib/web/extjs/adapter/jquery/jquery.js:469
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = wrap[1] + s + wrap[2];
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L3252

Insecure DOM Manipulation (XSS) in ext-all-debug.js

CWE-79
File Location: lib/web/extjs/ext-all-debug.js:3252
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- dom.innerHTML = html.replace(/(?:<script.*?>)((\n|\r|.)*?)(?:<\/script>)/ig, "");
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L13392

Insecure DOM Manipulation (XSS) in ext-all-debug.js

CWE-79
File Location: lib/web/extjs/ext-all-debug.js:13392
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- td.firstChild.innerHTML = y2;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L21367

Insecure DOM Manipulation (XSS) in ext-all-debug.js

CWE-79
File Location: lib/web/extjs/ext-all-debug.js:21367
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- ts.innerHTML = v;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L22741

Insecure DOM Manipulation (XSS) in ext-all-debug.js

CWE-79
File Location: lib/web/extjs/ext-all-debug.js:22741
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var html = bd.innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L50

Insecure DOM Manipulation (XSS) in ext-all.js

CWE-79
File Location: lib/web/extjs/ext-all.js:50
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(body);return this;},call:function(fnName,value,allValues){return this[fnName](value,allValues);},insertFirst:function(el,values,returnElement){return this.doInsert('afterBegin',el,values,returnElement);},insertBefore:function(el,values,returnElement){return this.doInsert('beforeBegin',el,values,returnElement);},insertAfter:function(el,values,returnElement){return this.doInsert('afterEnd',el,values,returnElement);},append:function(el,values,returnElement){return this.doInsert('beforeEnd',el,values,returnElement);},doInsert:function(where,el,values,returnEl){el=Ext.getDom(el);var newNode=Ext.DomHelper.insertHtml(where,el,this.applyTemplate(values));return returnEl?Ext.get(newNode,true):newNode;},overwrite:function(el,values,returnElement){el=Ext.getDom(el);el.innerHTML=this.applyTemplate(values);return returnElement?Ext.get(el.firstChild,true):el.firstChild;}};Ext.Template.prototype.apply=Ext.Template.prototype.applyTemplate;Ext.DomHelper.Template=Ext.Template;Ext.Template.from=function(el){el=Ext.getDom(el);return new Ext.Template(el.value||el.innerHTML);};Ext.MasterTemplate=function(){Ext.MasterTemplate.superclass.constructor.apply(this,arguments);this.originalHtml=this.html;var st={};var m,re=this.subTemplateRe;re.lastIndex=0;var subIndex=0;while(m=re.exec(this.html)){var name=m[1],content=m[2];st[subIndex]={name:name,index:subIndex,buffer:[],tpl:new Ext.Template(content)};if(name){st[name]=st[subIndex];}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L57

Insecure DOM Manipulation (XSS) in ext-all.js

CWE-79
File Location: lib/web/extjs/ext-all.js:57
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return this;},applyTemplate:function(values){var s=this.subs;var replaceIndex=-1;this.html=this.originalHtml.replace(this.subTemplateRe,function(m,name){return s[++replaceIndex].buffer.join("");});return Ext.MasterTemplate.superclass.applyTemplate.call(this,values);},apply:function(){return this.applyTemplate.apply(this,arguments);},compile:function(){return this;}});Ext.MasterTemplate.prototype.addAll=Ext.MasterTemplate.prototype.fill;Ext.MasterTemplate.from=function(el){el=Ext.getDom(el);return new Ext.MasterTemplate(el.value||el.innerHTML);};
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L942

Insecure DOM Manipulation (XSS) in ext-all.js

CWE-79
File Location: lib/web/extjs/ext-all.js:942
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- buf.push('<tr class="x-date-mp-btns"><td colspan="4"><button type="button" class="x-date-mp-ok">',this.okText,'</button><button type="button" class="x-date-mp-cancel">',this.cancelText,'</button></td></tr>','</table>');this.monthPicker.update(buf.join(''));this.monthPicker.on('click',this.onMonthClick,this);this.monthPicker.on('dblclick',this.onMonthDblClick,this);this.mpMonths=this.monthPicker.select('td.x-date-mp-month');this.mpYears=this.monthPicker.select('td.x-date-mp-year');this.mpMonths.each(function(m,a,i){i+=1;if((i%2)==0){m.dom.xmonth=5+Math.round(i*.5);}else{m.dom.xmonth=Math.round((i-1)*.5);}});}},showMonthPicker:function(){this.createMonthPicker();var size=this.el.getSize();this.monthPicker.setSize(size);this.monthPicker.child('table').setSize(size);this.mpSelMonth=(this.activeDate||this.value).getMonth();this.updateMPMonth(this.mpSelMonth);this.mpSelYear=(this.activeDate||this.value).getFullYear();this.updateMPYear(this.mpSelYear);this.monthPicker.slideIn('t',{duration:.2});},updateMPYear:function(y){this.mpyear=y;var ys=this.mpYears.elements;for(var i=1;i<=10;i++){var td=ys[i-1],y2;if((i%2)==0){y2=y+Math.round(i*.5);td.firstChild.innerHTML=y2;td.xyear=y2;}else{y2=y-(5-Math.round(i*.5));td.firstChild.innerHTML=y2;td.xyear=y2;}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1088

Insecure DOM Manipulation (XSS) in ext-all.js

CWE-79
File Location: lib/web/extjs/ext-all.js:1088
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.boundEl=Ext.get(el);var v=value!==undefined?value:this.boundEl.dom.innerHTML;if(!this.rendered){this.render(this.parentEl||document.body);}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1680

Insecure DOM Manipulation (XSS) in ext-core-debug.js

CWE-79
File Location: lib/web/extjs/ext-core-debug.js:1680
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- textEl.dom.innerHTML = 'X';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L22

Insecure DOM Manipulation (XSS) in ext-core.js

CWE-79
File Location: lib/web/extjs/ext-core.js:22
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return el;};var ieTable=function(depth,s,h,e){tempTableEl.innerHTML=[s,h,e].join('');var i=-1,el=tempTableEl;while(++i<depth){el=el.firstChild;}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L40

Insecure DOM Manipulation (XSS) in ext-core.js

CWE-79
File Location: lib/web/extjs/ext-core.js:40
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return returnElement?Ext.get(newNode,true):newNode;},overwrite:function(el,o,returnElement){el=Ext.getDom(el);el.innerHTML=createHtml(o);return returnElement?Ext.get(el.firstChild,true):el.firstChild;},createTemplate:function(o){var html=createHtml(o);return new Ext.Template(html);}};}();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L50

Insecure DOM Manipulation (XSS) in ext-core.js

CWE-79
File Location: lib/web/extjs/ext-core.js:50
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(body);return this;},call:function(fnName,value,allValues){return this[fnName](value,allValues);},insertFirst:function(el,values,returnElement){return this.doInsert('afterBegin',el,values,returnElement);},insertBefore:function(el,values,returnElement){return this.doInsert('beforeBegin',el,values,returnElement);},insertAfter:function(el,values,returnElement){return this.doInsert('afterEnd',el,values,returnElement);},append:function(el,values,returnElement){return this.doInsert('beforeEnd',el,values,returnElement);},doInsert:function(where,el,values,returnEl){el=Ext.getDom(el);var newNode=Ext.DomHelper.insertHtml(where,el,this.applyTemplate(values));return returnEl?Ext.get(newNode,true):newNode;},overwrite:function(el,values,returnElement){el=Ext.getDom(el);el.innerHTML=this.applyTemplate(values);return returnElement?Ext.get(el.firstChild,true):el.firstChild;}};Ext.Template.prototype.apply=Ext.Template.prototype.applyTemplate;Ext.DomHelper.Template=Ext.Template;Ext.Template.from=function(el){el=Ext.getDom(el);return new Ext.Template(el.value||el.innerHTML);};Ext.MasterTemplate=function(){Ext.MasterTemplate.superclass.constructor.apply(this,arguments);this.originalHtml=this.html;var st={};var m,re=this.subTemplateRe;re.lastIndex=0;var subIndex=0;while(m=re.exec(this.html)){var name=m[1],content=m[2];st[subIndex]={name:name,index:subIndex,buffer:[],tpl:new Ext.Template(content)};if(name){st[name]=st[subIndex];}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L212

Insecure DOM Manipulation (XSS) in grid.js

CWE-79
File Location: lib/web/extjs/package/grid/grid.js:212
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return false;},onInitDrag:function(e){var data=this.dragData;this.ddel.innerHTML=this.grid.getDragDropText();this.proxy.update(this.ddel);},afterRepair:function(){this.dragging=false;},getRepairXY:function(e,data){return false;},onEndDrag:function(data,e){},onValidDrop:function(dd,e,id){this.hideProxy();},beforeInvalidDrop:function(e,id){}});
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L54

Insecure DOM Manipulation (XSS) in layout.js

CWE-79
File Location: lib/web/extjs/package/layout/layout.js:54
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- if((!c.titlebar&&!c.title)||c.titlebar===false){this.titleEl.hide();}else{this.titleEl.show();if(c.title){this.titleTextEl.innerHTML=c.title;}}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L27

Insecure DOM Manipulation (XSS) in tabs.js

CWE-79
File Location: lib/web/extjs/package/tabs/tabs.js:27
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.refreshDelegate=this._handleRefresh.createDelegate(this,[url,params,loadOnce]);this.on("activate",this.refreshDelegate);return this.bodyEl.getUpdateManager();},_handleRefresh:function(url,params,loadOnce){if(!loadOnce||!this.loaded){var updater=this.bodyEl.getUpdateManager();updater.update(url,params,this._setLoaded.createDelegate(this));}},refresh:function(){if(this.refreshDelegate){this.loaded=false;this.refreshDelegate();}},_setLoaded:function(){this.loaded=true;},closeClick:function(e){var o={};e.stopEvent();this.fireEvent("beforeclose",this,o);if(o.cancel!==true){this.tabPanel.removeTab(this.id);}},closeText:"Close this tab"});Ext.TabPanel.prototype.createStrip=function(container){var strip=document.createElement("div");strip.className="x-tabs-wrap";container.appendChild(strip);return strip;};Ext.TabPanel.prototype.createStripList=function(strip){strip.innerHTML='<div class="x-tabs-strip-wrap"><table class="x-tabs-strip" cellspacing="0" cellpadding="0" border="0"><tbody><tr></tr></tbody></table></div>';return strip.firstChild.firstChild.firstChild.firstChild;};Ext.TabPanel.prototype.createBody=function(container){var body=document.createElement("div");Ext.id(body,"tab-body");Ext.fly(body).addClass("x-tabs-body");container.appendChild(body);return body;};Ext.TabPanel.prototype.createItemBody=function(bodyEl,id){var body=Ext.getDom(id);if(!body){body=document.createElement("div");body.id=id;}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1490

Insecure DOM Manipulation (XSS) in jquery-1.8.2.js

CWE-79
File Location: lib/web/jquery/jquery-1.8.2.js:1490
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = "<div></div>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L3829

Insecure DOM Manipulation (XSS) in jquery-1.8.2.js

CWE-79
File Location: lib/web/jquery/jquery-1.8.2.js:3829
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = "<select></select>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L3838

Insecure DOM Manipulation (XSS) in jquery-1.8.2.js

CWE-79
File Location: lib/web/jquery/jquery-1.8.2.js:3838
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = "<div class='hidden e'></div><div class='hidden'></div>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L5212

Insecure DOM Manipulation (XSS) in jquery-1.8.2.js

CWE-79
File Location: lib/web/jquery/jquery-1.8.2.js:5212
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = "<p test=''></p>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L2558

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: lib/web/jquery/jquery.js:2558
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = "<a href='#'></a>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L5430

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: lib/web/jquery/jquery.js:5430
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- dest.innerHTML = src.innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1964

Insecure DOM Manipulation (XSS) in prototype.js

CWE-79
File Location: lib/web/prototype/prototype.js:1964
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = "<tbody><tr><td>test</td></tr></tbody>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L369

Insecure DOM Manipulation (XSS) in ForceBlocks.js

CWE-79
File Location: lib/web/tiny_mce/classes/ForceBlocks.js:369
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- sn.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L713

Insecure DOM Manipulation (XSS) in editor_plugin_src.js

CWE-79
File Location: lib/web/tiny_mce/plugins/paste/editor_plugin_src.js:713
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- html = p.innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L322

Insecure DOM Manipulation (XSS) in editor_plugin_src.js

CWE-79
File Location: lib/web/tiny_mce/plugins/spellchecker/editor_plugin_src.js:322
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var word = wordSpan.innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L43

Insecure DOM Manipulation (XSS) in props.js

CWE-79
File Location: lib/web/tiny_mce/plugins/style/js/props.js:43
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('border_color_left_pickcontainer').innerHTML = getColorPickerHTML('border_color_left_pick','border_color_left');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L357

Insecure DOM Manipulation (XSS) in charmap.js

CWE-79
File Location: lib/web/tiny_mce/themes/advanced/js/charmap.js:357
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elmV.innerHTML = '&' + codeA;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L517

Insecure DOM Manipulation (XSS) in scripts.js

CWE-79
File Location: app/code/Magento/Sales/view/adminhtml/web/order/create/scripts.js:517
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- priceColl.innerHTML = this.currencySymbol + productPrice.toFixed(2);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L358

Insecure DOM Manipulation (XSS) in qunit-1.14.0.js

CWE-79
File Location: dev/tests/js/framework/qunit/qunit-1.14.0.js:358
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tests.innerHTML = "";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L748

Insecure DOM Manipulation (XSS) in qunit-1.14.0.js

CWE-79
File Location: dev/tests/js/framework/qunit/qunit-1.14.0.js:748
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- moduleFilter.innerHTML = moduleFilterHtml;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1391

Insecure DOM Manipulation (XSS) in qunit-1.14.0.js

CWE-79
File Location: dev/tests/js/framework/qunit/qunit-1.14.0.js:1391
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- b.innerHTML = this.nameHtml + " <b class='counts'>(<b class='failed'>" + bad + "</b>, <b class='passed'>" + good + "</b>, " + this.assertions.length + ")</b>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1178

Insecure DOM Manipulation (XSS) in prototype.js

CWE-79
File Location: lib/web/extjs/adapter/prototype/prototype.js:1178
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $(element).innerHTML = html.stripScripts();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1566

Insecure DOM Manipulation (XSS) in prototype.js

CWE-79
File Location: lib/web/extjs/adapter/prototype/prototype.js:1566
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = '<table><tbody><tr><td>' + html.stripScripts() + '</td></tr></tbody></table>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L38

Insecure DOM Manipulation (XSS) in scriptaculous.js

CWE-79
File Location: lib/web/extjs/adapter/prototype/scriptaculous.js:38
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.write('<script type="text/javascript" src="'+libraryName+'"></script>');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L3403

Insecure DOM Manipulation (XSS) in ext-all-debug.js

CWE-79
File Location: lib/web/extjs/ext-all-debug.js:3403
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- mm.dom.firstChild.innerHTML = msg;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L14989

Insecure DOM Manipulation (XSS) in ext-all-debug.js

CWE-79
File Location: lib/web/extjs/ext-all-debug.js:14989
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- s.innerHTML = text;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1040

Insecure DOM Manipulation (XSS) in ext-all.js

CWE-79
File Location: lib/web/extjs/ext-all.js:1040
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- Ext.Element.uncache(this.el,this.tr);}};Ext.Toolbar.Item=function(el){this.el=Ext.getDom(el);this.id=Ext.id(this.el);this.hidden=false;};Ext.Toolbar.Item.prototype={getEl:function(){return this.el;},render:function(td){this.td=td;td.appendChild(this.el);},destroy:function(){this.td.parentNode.removeChild(this.td);},show:function(){this.hidden=false;this.td.style.display="";},hide:function(){this.hidden=true;this.td.style.display="none";},setVisible:function(visible){if(visible){this.show();}else{this.hide();}},focus:function(){Ext.fly(this.el).focus();},disable:function(){Ext.fly(this.td).addClass("x-item-disabled");this.disabled=true;this.el.disabled=true;},enable:function(){Ext.fly(this.td).removeClass("x-item-disabled");this.disabled=false;this.el.disabled=false;}};Ext.Toolbar.Separator=function(){var s=document.createElement("span");s.className="ytb-sep";Ext.Toolbar.Separator.superclass.constructor.call(this,s);};Ext.extend(Ext.Toolbar.Separator,Ext.Toolbar.Item,{enable:Ext.emptyFn,disable:Ext.emptyFn,focus:Ext.emptyFn});Ext.Toolbar.Spacer=function(){var s=document.createElement("div");s.className="ytb-spacer";Ext.Toolbar.Spacer.superclass.constructor.call(this,s);};Ext.extend(Ext.Toolbar.Spacer,Ext.Toolbar.Item,{enable:Ext.emptyFn,disable:Ext.emptyFn,focus:Ext.emptyFn});Ext.Toolbar.Fill=Ext.extend(Ext.Toolbar.Spacer,{render:function(td){td.style.width='100%';Ext.Toolbar.Fill.superclass.render.call(this,td);}});Ext.Toolbar.TextItem=function(text){var s=document.createElement("span");s.className="ytb-text";s.innerHTML=text;Ext.Toolbar.TextItem.superclass.constructor.call(this,s);};Ext.extend(Ext.Toolbar.TextItem,Ext.Toolbar.Item,{enable:Ext.emptyFn,disable:Ext.emptyFn,focus:Ext.emptyFn});Ext.Toolbar.Button=function(config){Ext.Toolbar.Button.superclass.constructor.call(this,null,config);};Ext.extend(Ext.Toolbar.Button,Ext.Button,{render:function(td){this.td=td;Ext.Toolbar.Button.superclass.render.call(this,td);},destroy:function(){Ext.Toolbar.Button.superclass.destroy.call(this);this.td.parentNode.removeChild(this.td);},show:function(){this.hidden=false;this.td.style.display="";},hide:function(){this.hidden=true;this.td.style.display="none";},disable:function(){Ext.fly(this.td).addClass("x-item-disabled");this.disabled=true;},enable:function(){Ext.fly(this.td).removeClass("x-item-disabled");this.disabled=false;}});Ext.ToolbarButton=Ext.Toolbar.Button;Ext.Toolbar.MenuButton=function(config){Ext.Toolbar.MenuButton.superclass.constructor.call(this,null,config);};Ext.extend(Ext.Toolbar.MenuButton,Ext.MenuButton,{render:function(td){this.td=td;Ext.Toolbar.MenuButton.superclass.render.call(this,td);},destroy:function(){Ext.Toolbar.MenuButton.superclass.destroy.call(this);this.td.parentNode.removeChild(this.td);},show:function(){this.hidden=false;this.td.style.display="";},hide:function(){this.hidden=true;this.td.style.display="none";}});
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1298

Insecure DOM Manipulation (XSS) in ext-all.js

CWE-79
File Location: lib/web/extjs/ext-all.js:1298
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.updateExpandIcon();}}};Ext.tree.RootTreeNodeUI=function(){Ext.tree.RootTreeNodeUI.superclass.constructor.apply(this,arguments);};Ext.extend(Ext.tree.RootTreeNodeUI,Ext.tree.TreeNodeUI,{render:function(){if(!this.rendered){var targetNode=this.node.ownerTree.innerCt.dom;this.node.expanded=true;targetNode.innerHTML='<div class="x-tree-root-node"></div>';this.wrap=this.ctNode=targetNode.firstChild;}},collapse:function(){},expand:function(){}});
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1436

Insecure DOM Manipulation (XSS) in ext-all.js

CWE-79
File Location: lib/web/extjs/ext-all.js:1436
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- break;default:var t=Ext.getDom(this.msgTarget);t.innerHTML='';t.style.display='none';break;}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1668

Insecure DOM Manipulation (XSS) in ext-all.js

CWE-79
File Location: lib/web/extjs/ext-all.js:1668
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- if(c.collapsedTitle&&(this.position=="north"||this.position=="south")){this.collapsedTitleTextEl=dh.append(this.collapsedEl.dom,{tag:"div",cls:"x-unselectable x-layout-panel-hd-text",id:"message",unselectable:"on",style:{"float":"left"}});this.collapsedTitleTextEl.innerHTML=c.collapsedTitle;}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output