search envelope-o feed check
Home Unanswered Active Tags New Question
user comment-o

Static Security Analysis flags CWE-77 thousands of times

Asked by Carlos Guevara
8 hours ago.

I am a happy user of DayPilot and love it. It is an amazing product. I do have a situation were someone ran a statict security analysis using fortisecdev on version 2025.3.703-lite and found thousands of issues flagged as CWE-77 Improper Neutralization of special elements, but internally it states the errors as generic object injection sink.

Is this a false positive? Do newer versions correct this issue? Anyone else seen something similar? It primarily sees this in file daypilot-month-min.js.

Any help would be greatly appreciated. The tool does not provide any further indications.

Comment posted by Dan Letecky [DayPilot]
8 hours ago.

CWE-77 is not applicable to client-side code and this looks like a false positive.

Do you have references to code that is marked this way?

Comment posted by Carlos Guevara
8 hours ago.

It didn’t look like a proper identification of a vulnerability, but the security team here does not know much about code and consider the findings of this tool like the bible. I have attached all of what the tool says in an image.

Answer posted by Dan Letecky [DayPilot]
8 hours ago.

Basically, the only risk is injection of unsanitized HTML from user input (displayed to other users).

DayPilot includes built-in XSS protection. It automatically encodes all input values that are supposed to be text (i.e. all properties with text in name, e.g. DayPilot.Event.data.text). But it also supports direct HTML access (especially for customization).

If you don’t want to rely on the built-in escaping, you can use html properties and encode the values yourself.

A static analysis tool will find cases where content is set using innerHTML. But that doesn’t say much by itself. It will have a hard time detecting a real security issue (where text is used for innerHTML without escaping), but a good tool might be able to find it. However, I would expect such a tool to report an exact location and mechanism and describe it correctly (not using CWE-77).

Your screenshot doesn’t say much about the actual place it doesn’t like so it’s hard to comment it.

New Reply
This reply is
Attachments:
or drop files here
Your name (optional):