Ajax Response Return Html Response (XSS Veracode)

function viewAcc() { var errorMsg = ''; var result = true; $('.errorView').hide(); var accNum = document.getElementById('custAccNum').value; var accType = docum

Solution 1:

You can simply use .text() instead of .html(). If you don't have any markup coming from the server, then this is a perfectly viable alternative, since .text() will prevent the content being interpreted as HTML

//doing sc+ript is only needed here because Stack Snippets otherwise throws an error.
var msg = "This is <b>a message</b> with <script>console.log('some code')</sc"+"ript>";
$("#msgHtml").html(msg);
$("#msgText").text(msg);

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>

<h3>Message via .html():</h3>
<div id="msgHtml"></div>

<h3>Message via .text():</h3>
<div id="msgText"></div>

Solution 2:

Don't blindly trust tools which claim you are vulnerable to XSS.

You are only at risk of XSS if the value of data is not trustworthy. Since it is coming from your own server, then you should have already sanitised the data for XSS issues before sending it in the response to the Ajax request.