How can I resolve the vulnerability in JSTree's get_node flagged by Checkmarx?

[jportilloa]

In Checkmarx, this vulnerability is flagged as follows: "The method function embeds untrusted data in generated output with jQuery, at line 962 of jstree. This untrusted data is embedded into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page." This vulnerability arises from the following code:

else if(typeof obj === "string" && (dom = `$('#'` + obj.replace($.jstree.idregex,'\\$&'), this.element)).length && this._model.data[dom.closest('.jstree-node').attr('id')]) {
    obj = this._model.data[dom.closest('.jstree-node').attr('id')];
}

And also this:

if(as_dom) {
    obj = obj.id === $.jstree.root ? this.element : $('#' + obj.id.replace($.jstree.idregex,'\\$&'), this.element);
}

These snippets reference the following code:

$('#' + obj.replace($.jstree.idregex,'\\$&'), this.element)

And this:

$('#' + obj.id.replace($.jstree.idregex,'\\$&'), this.element)

[vakata]

I guess those snippets could be replaced with this.element.querySelector(... but I will check and let you know.

[jportilloa]

Hello, thank you for responding. Yes, I tried with this.element.querySelector(...); it no longer detects the vulnerability, but the get_node function doesn't work properly anymore.