Checkmarx Client_Reflected_File_Download security vulnerability RRS feed

  • Question

  • Hi Checkmarx has detected a security vulnerability in the code: Cross-domain 'jsonp' ajax call not XSS safe. The suggestion given as: An explicit file name is not defined for the Content-Disposition header. Filename attribute is required in order to prevent the browser from assuming the resource is an executable and download a possibly malicious file." T

    The code works fine but security tool has identified this.

     url: "https://www.example.com?format=rich&client=aem_frontend",
     dataType: "jsonp",
     data: "&q=" + request.term,
     success: function(data) {
      $('.searchPanel').css('display', 'none');
      if (data.results.length > 0) {
       response($.map(data.results, function(item) {
        return {
         label: item.name
      } else {
       $('.ui-autocomplete ').css('display', 'none');
       $('.searchPanel').css('display', 'block');
       $('.searchPanel').css('display', 'block');
       // $('#zero-result').removeClass("noDisplay").css('display','block');
       //$('#err_text').text("Whoops! We couldn’t find any matches for "+request.term);
     error: function(data) {
      alert("inside failure" + data.status + ' ' + data.statusText);

    Regards Vaibhav Kaulkar

    Saturday, October 13, 2018 10:54 AM

All replies

  • Hi VaibhavKaulkar,

    Thank you for posting here.

    Since your question is more related to ajax, you could post a new thread in StackOverFlow.


    The CLR Forum discuss and ask questions about .NET Framework Base Classes (BCL) such as Collections, I/O, Regigistry, Globalization, Reflection. Also discuss all the other Microsoft libraries that are built on or extend the .NET Framework, including Managed Extensibility Framework (MEF), Charting Controls, CardSpace, Windows Identity Foundation (WIF), Point of Sale (POS), Transactions.

    Best Regards,


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, October 15, 2018 7:31 AM