Veracode detected 5 XSS issues in nocache.js

122 views
Skip to first unread message

kaveri

unread,
Feb 18, 2020, 2:33:46 PM2/18/20
to GWT Users
Veracode has reported 5 places with error - improper neutralization of script related hrml tags in web page(basic xss) in module.nocache.js at line number 4, 10, 9 and 13

Is there any fix to this issue or proper explanation to prove that code is secured

Nick Wilton

unread,
Feb 18, 2020, 3:05:30 PM2/18/20
to google-we...@googlegroups.com
module.nocache.js is a build artifact, created with GWT. Like all web technologies it’s up to the developer using GWT to ensure vulnerabilities like XSS are not introduced.

There’s further information about avoiding the introduction of XSS vulnerabilities in GWT applications here:


On 19 Feb 2020, at 06:33, kaveri <dusane...@gmail.com> wrote:

Veracode has reported 5 places with error - improper neutralization of script related hrml tags in web page(basic xss) in module.nocache.js at line number 4, 10, 9 and 13


Is there any fix to this issue or proper explanation to prove that code is secured

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/49e6d69a-fc94-42e1-b70b-14a550044d03%40googlegroups.com.

kaveri dusane

unread,
Feb 18, 2020, 9:59:24 PM2/18/20
to google-we...@googlegroups.com
Thanks Nick for your reply 

I understand that the developer has to make sure that code is secured. But as you have mentioned module.nocache.js is a build artifact so how do we resolve/ address veracode issues identified in this file?

Nick Wilton

unread,
Feb 18, 2020, 11:13:46 PM2/18/20
to google-we...@googlegroups.com
I suggest you have a look at the OWASP website, it’s an excellent resource to understand this vulnerability and how to address it.

Craig Mitchell

unread,
Feb 23, 2020, 7:10:06 PM2/23/20
to GWT Users
I thought the <module>.nocache.js file just did the loading of the cache.js files, and the user didn't have much control over what went in this file.  If there was a security issue with how this file was generated, I imagine it would affect all GWT applications out there.

Thomas Broyer

unread,
Feb 24, 2020, 2:47:23 AM2/24/20
to GWT Users


On Monday, February 24, 2020 at 1:10:06 AM UTC+1, Craig Mitchell wrote:
I thought the <module>.nocache.js file just did the loading of the cache.js files, and the user didn't have much control over what went in this file.

You do have full control: you can chose the linker being used (defaults to the CrossSiteIframeLinker), or configure the behavior of the default linker (see https://github.com/gwtproject/gwt/blob/master/user/src/com/google/gwt/core/CrossSiteIframeLinker.gwt.xml to being with).
You could extend the CrossSiteIframeLinker (or DirectInstallLinker) and override some of the behavior (e.g. getJsComputeUrlForResource or getJsInstallLocation); see https://github.com/gwtproject/gwt/blob/master/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeLinker.java and the *.js scripts in https://github.com/gwtproject/gwt/tree/master/dev/core/src/com/google/gwt/core/ext/linker/impl
Reply all
Reply to author
Forward
0 new messages