This code probably comes from History.getToken(). It's only vulnerable to XSS if you inject the value into the DOM as innerHTML or eval() it. GWT doesn't do that, but your code could. Chase down all uses of eval() or injection of HTML into the DOM without using SafeHtml; and where it uses SafeHtml, double-check the uses of fromTrustedString.
-- But this code, as-is, is not enough to present an XSS vulnerability.
On Monday, May 19, 2014 4:49:25 AM UTC+2, William Young wrote:
On Monday, May 19, 2014 4:49:25 AM UTC+2, William Young wrote:
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment