How can I resolve the vulnerability in JSTree's get_node flagged by Checkmarx?

[jportilloa]

In Checkmarx, this vulnerability is flagged as follows: "The method function embeds untrusted data in generated output with jQuery, at line 962 of jstree. This untrusted data is embedded into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page." This vulnerability arises from the following code:

else if(typeof obj === "string" && (dom = `$('#'` + obj.replace($.jstree.idregex,'\\$&'), this.element)).length && this._model.data[dom.closest('.jstree-node').attr('id')]) {
    obj = this._model.data[dom.closest('.jstree-node').attr('id')];
}

And also this:

if(as_dom) {
    obj = obj.id === $.jstree.root ? this.element : $('#' + obj.id.replace($.jstree.idregex,'\\$&'), this.element);
}

These snippets reference the following code:

$('#' + obj.replace($.jstree.idregex,'\\$&'), this.element)
And this:

$('#' + obj.id.replace($.jstree.idregex,'\\$&'), this.element)

I received a response from one of Vakata's team members, who provided this answer: issues. However, after making those changes, replacing $(...) with this.element.querySelector(...), JSTree stopped functioning properly.