Thomas, I am using GWT 2.0.3 and this is being generated in the *.nocache.js. Is there any solution to this ? This clearly seems like an XSS vulnerability to me. Have you fixed this in the later version ? If yes then which one ?
On Tuesday, April 16, 2013 6:49:29 PM UTC-4, Thomas Broyer wrote: > > The question is: have you found where this script is coming from? 'cause I > can't. > > On Tuesday, April 16, 2013 5:46:34 PM UTC+2, Shashank Raj Holavanalli > wrote: >> >> I know exactly what is happening here. The variable "r" has everything >> that is present in the browser address bar. So a hacker can inject some >> html in the URL like this http://domain.com/<script></script>. When >> variable "r" is written to document using document.write(lc + r + uc) the >> script injected gets written into the HTML document. This is a perfect >> example of dom based cross site scripting issue. i think GWT has to provide >> developers a way to avoid this kind of vulnerabilities. >> >> On Friday, November 9, 2012 1:37:38 AM UTC-5, Anuradha bhat wrote: >>> >>> Hi , >>> We have developed a gwt application. We foundDOM based cross site >>> scripting issue in our .nocahe.js file. Here is the part of the code >>> mentioned in .js file which is vulnerable. Can any body help me in finding >>> , which type of java code will generate this code? Is there any way to do >>> reverse engineering >>> r = h(l.location.href) >>> function h(a) { >>> return d >= 0 ? a.substring(0, d + 1) : M >>> r = h(l.location.href) >>> if (y()) { >>> document.write(lc + r + uc) >>> >> -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
