Having issue with knockjs in checkmax vulnerabilities

[Sujatha Chellapilla]

Seeing following checkmarx vulnerabilities when I scan my application in checkmarx. Want to know if these are false positives and how to justify them if false positive. 

If not is there any resolution provided. Appreciate all the help.

he application's l=e.length-1;0<=l;l--)for embeds untrusted data in the generated output with appendChild, at line 21 of XXX.WebApp\Scripts\knockout-3.3.0.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

 

The application's b&& embeds untrusted data in the generated output with appendChild, at line 21 of XXX.WebApp\Scripts\knockout-3.3.0.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

 

The application's function embeds untrusted data in the generated output with appendChild, at line 581 of XXX.WebApp\Scripts\knockout-3.3.0.debug.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

 

The application's objectForEach embeds untrusted data in the generated output with appendChild, at line 588 of XXX.WebApp\Scripts\knockout-3.3.0.debug.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

 

[Julio Di Egidio]

I think it's not even just a false positive, checkmarx is simply wrong here: appendChild takes a Node as argument, not unparsed/untrusted data.  And, if you look at the incriminated source code in knockout (look at the debug version), you will see that, while creating a form to do an http post is quite an obsolete way of doing things, there is nothing that is not properly sanitized or encoded there... no?

Julio