Opened 11 years ago

Closed 11 years ago

#13267 closed defect (fixed) allows untrusted code to execute

Reported by: Douglas Hays Owned by: Kris Zyp
Priority: blocker Milestone: 1.7
Component: Dojox Version: 1.7.0b1
Keywords: Cc:
Blocked By: Blocking:


Surrounding any evil-doer string with 1/1; allows the code to be executed.

var sandbox ="sandbox"));
var code = "1/1;"+
        "window.location.href ='';"+

Change History (1)

comment:1 Changed 11 years ago by Kris Zyp

Resolution: fixed
Status: newclosed

(In [25676]) Remove support for regex to prevent slash-based attacks, fixes #13267 !strict

Note: See TracTickets for help on using tickets.