Following is the issue when the security audit was run over the source code in Smart GWT3.0 version.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Use output filtering to sanitize all output generated from user-supplied input, selecting the appropriate method of encoding based on the use case of the untrusted data. For example, if the data is being written to the body of an HTML page, use HTML entity encoding. However, if the data is being used to construct generated Javascript or if it is consumed by client-side methods that may interpret it as code (a common technique in Web 2.0 applications), additional restrictions may be necessary beyond simple HTML encoding.
Validate user-supplied input using positive filters (white lists) to ensure that it conforms to the expected format, using centralized data validation routines when possible.
Do not permit users to include HTML content in posts, notes, or other data that will be displayed by the application. If users are permitted to include HTML tags, then carefully limit access to specific elements or attributes, and use strict validation filters to prevent abuse.basis.
/chart/.../tools/bmmlImporter.jsp 20
/chart/.../tools/bmmlImporter.jsp 22
/chart/.../tools/bmmlImporter.jsp 23
/chart/.../tools/bmmlImporter.jsp 24
/chart/.../tools/bmmlImporter.jsp 25
/chart/.../tools/genScriptDoc.jsp 28
/chart/.../tools/genScriptDoc.jsp 29
/chart/.../visualBuilder/index.jsp 54
/chart/.../visualBuilder/index.jsp 72
.../JSSyntaxScannerFilter.java 329
com/.../taglib/LoadModulesTag.java 106
com/.../taglib/LoadModulesTag.java 134
com/.../taglib/LoadSkinTag.java 94
com/.../taglib/LoadSkinTag.java 96
com/.../servlet/ServletTools.java 1232
com/.../servlet/SourceViewer.java 185
com/.../servlet/SourceViewer.java 190
/chart/.../visualBuilder/view.jsp 18
Can we have a resolution for this?
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Use output filtering to sanitize all output generated from user-supplied input, selecting the appropriate method of encoding based on the use case of the untrusted data. For example, if the data is being written to the body of an HTML page, use HTML entity encoding. However, if the data is being used to construct generated Javascript or if it is consumed by client-side methods that may interpret it as code (a common technique in Web 2.0 applications), additional restrictions may be necessary beyond simple HTML encoding.
Validate user-supplied input using positive filters (white lists) to ensure that it conforms to the expected format, using centralized data validation routines when possible.
Do not permit users to include HTML content in posts, notes, or other data that will be displayed by the application. If users are permitted to include HTML tags, then carefully limit access to specific elements or attributes, and use strict validation filters to prevent abuse.basis.
/chart/.../tools/bmmlImporter.jsp 20
/chart/.../tools/bmmlImporter.jsp 22
/chart/.../tools/bmmlImporter.jsp 23
/chart/.../tools/bmmlImporter.jsp 24
/chart/.../tools/bmmlImporter.jsp 25
/chart/.../tools/genScriptDoc.jsp 28
/chart/.../tools/genScriptDoc.jsp 29
/chart/.../visualBuilder/index.jsp 54
/chart/.../visualBuilder/index.jsp 72
.../JSSyntaxScannerFilter.java 329
com/.../taglib/LoadModulesTag.java 106
com/.../taglib/LoadModulesTag.java 134
com/.../taglib/LoadSkinTag.java 94
com/.../taglib/LoadSkinTag.java 96
com/.../servlet/ServletTools.java 1232
com/.../servlet/SourceViewer.java 185
com/.../servlet/SourceViewer.java 190
/chart/.../visualBuilder/view.jsp 18
Can we have a resolution for this?
Comment