Changes between Initial Version and Version 1 of Ticket #10773


Ignore:
Timestamp:
Feb 19, 2010, 9:20:32 PM (11 years ago)
Author:
James Burke
Comment:

Thank you for the report. While we do not have a formal security policy set up, I believe normal security practice is to try to contact a team member in a private channel and allow us to work on the issue before making it public. Or to open the bug but not mention specifics until one of us can contact you privately.

The two sources of the vulnerabilities, testCommon.js and runner.html are test files. It is not expected that those files are deployed to production servers, although I can see how it might happen, and it is best to avoid the problems if we can, so we should fix the issues. I have marked this for the 1.4.2 release.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #10773

    • Property Milestone changed from tbd to 1.4.2
  • Ticket #10773 – Description

    initial v1  
    33Multiple DOM-Based XSS in Dojo Toolkit SDK
    44 
    5 Adam Bixby - Gotham Digital Science ([email protected])
     5Adam Bixby - Gotham Digital Science
    66
    77Affected Software:  Dojo Toolkit SDK <= Build 1.4.1rc1
     
    7777A JavaScript encoding function should be wrapped around the user-controllable variables to ensure that malicious data is properly encoded before rendering in the browser.
    7878
    79 ===========================================================
    80 
    81 5. About Gotham Digital Science
    82 ===========================================================
    83 
    84 Gotham Digital Science (GDS) is an information security consulting firm that works with clients to identify, prevent, and manage security risks. For more information on GDS, please contact [email protected] or visit http://www.gdssecurity.com.