Hi,
we are currently going through a security audit and as part of that doing
static code scans. The scanner has returned two issues with the
GWT-generated <module>.nocache.js files.
We can't really fix these as they are generated, but were hoping we could
challenge them if we had a good explanation or some "official" GWT resource
suggesting the code is actually safe.
I have found some previous posts on similar or same issues, but was hoping
I could get a response more relevant to the version we are using (*2.8.1*)
or an official resource (perhaps results of other scans/security audits?).
Below are the two issues with explanations and the code lines.
*1. Cross Site Scripting*
*Description: *The method f() in <module>.nocache.js sends unvalidated data
to a web browser on line 13, which can result in the browser executing
malicious code.Sending unvalidated data to a web browser can result in the
browser executing malicious code.
*Code: *function f(a){if(a.match(/^\w+:\/\//)){}else{var
b=r.createElement(Gb);b.src=a+Hb;a=e(b.src)}return a}
*2. Dynamic Code Evaluation - Code Injection*
*Description: *The file webadmin.nocache.js interprets unvalidated user
input as source code on line 15. Interpreting user-controlled instructions
at run-time can allow attackers to execute malicious code.Interpreting
user-controlled instructions at run-time can allow attackers to execute
malicious code.
*Code*:
if(m.addEventListener){m.addEventListener($b,function(){H();M()},false)}var
L=setInterval(function(){if(/loaded|complete/.test(m.readyState)){H();M()}},50);n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Q,millis:(new
Date).getTime(),type:W});n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Nb,millis:(new
Date).getTime(),type:R});m.write(_b)}
Thanks for your help!
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
