I think what Frank is saying is that those linked issues all related to the GWTTestCase tooling, which is only used for unit tests, and no reasonably-configured application will be serving GWTTestCase contents to users (and will usually only be available locally for 10s of seconds, on a randomly numbered http port). Regardless, this was fixed in the 2.5.1 release.
I don't understand what you mean that your attached references indicate that the issue persists - the first message notes that it was resolved in 2.5.1-rc1 - have you confirmed that there is still an issue in some way? The gwt mailing list email (your third link) enumerates a few plausible-looking issues identified through automated tooling, and explains why these are not real issues. At the time of writing, GWT 2.8.1 was the latest release, so at least 2.8.1 will resolve all of the mentioned issues. It typically has been the policy of the GWT Project to not backport fixes, but maintain backwards compatibility whenever possible (even sometimes beyond what may seem reasonable, like continuing to support IE11 past its end-of-life date, etc). For this reason, we always advise to update to the latest GWT release, to ensure the best compatibility with other tools you are using - newer Java releases, browser updates, etc. On Tuesday, December 26, 2023 at 7:47:27 AM UTC-6 flosanlop17 wrote: > Hi Frank, I'm sorry, but I don't understand your answer, could you explain > a little better, thank you! > > On Friday, December 22, 2023 at 8:15:29 AM UTC-5 Frank Hossfeld wrote: > >> you should never deploy your tests into production. >> flosanlop17 schrieb am Donnerstag, 21. Dezember 2023 um 17:52:49 UTC+1: >> >>> I am currently working on some security incidents reported in an >>> application that uses GWT, in its version 2.5.0 according to the report for >>> this version there are security vulnerabilities related to XSS, I was >>> reading a little the real notes of the versions above this one for example >>> 2.5.1 indicates that this vulnerability was fixed, But on investigation it >>> seems that this is not the case, according to the attached references this >>> novelty still persists. >>> >>> Continue reading the actual notes of later versions, but it's not clear >>> if any security patches were worked on in new versions. >>> >>> Reading the forum, I notice that in version 2.8.1 a vulnerability >>> related to XSS was also identified again. >>> >>> My question is which version then I could use that currently has these >>> vulnerabilities fixed. >>> >>> Very thanks for your help. >>> >>> References >>> https://www.openwall.com/lists/oss-security/2013/08/05/3 >>> https://www.openwall.com/lists/oss-security/2013/08/05/1 >>> https://groups.google.com/g/google-web-toolkit/c/Tx29wSZ8SZQ >>> >> -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/7a2fe253-5cf5-4ee7-8cd6-ca552e973250n%40googlegroups.com.
