Hi,
we are currently going through a security audit and as part of that doing static code scans. The scanner has returned two issues with the GWT-generated <module>.nocache.js files.
We can't really fix these as they are generated, but were hoping we could challenge them if we had a good explanation or some "official" GWT resource suggesting the code is actually safe.
I have found some previous posts on similar or same issues, but was hoping I could get a response more relevant to the version we are using (2.8.1) or an official resource (perhaps results of other scans/security audits?).
Below are the two issues with explanations and the code lines.
1. Cross Site Scripting
Description: The method f() in <module>.nocache.js sends unvalidated data to a web browser on line 13, which can result in the browser executing malicious code.Sending unvalidated data to a web browser can result in the browser executing malicious code.
Code: function f(a){if(a.match(/^\w+:\/\//)){}else{var b=r.createElement(Gb);b.src=a+Hb;a=e(b.src)}return a}
2. Dynamic Code Evaluation - Code Injection
Description: The file webadmin.nocache.js interprets unvalidated user input as source code on line 15. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.
Code: if(m.addEventListener){m.addEventListener($b,function(){H();M()},false)}var L=setInterval(function(){if(/loaded|complete/.test(m.readyState)){H();M()}},50);n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Q,millis:(new Date).getTime(),type:W});n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Nb,millis:(new Date).getTime(),type:R});m.write(_b)}
Thanks for your help!