Re: Veracode detected 5 XSS issues in nocache.js

[Thomas Broyer]

On Monday, February 24, 2020 at 1:10:06 AM UTC+1, Craig Mitchell wrote:
>
> I thought the .nocache.js file just did the loading of the 
> cache.js files, and the user didn't have much control over what went in 
> this file.
>

You do have full control: you can chose the linker being used (defaults to 
the CrossSiteIframeLinker), or configure the behavior of the default linker 
(see 
https://github.com/gwtproject/gwt/blob/master/user/src/com/google/gwt/core/CrossSiteIframeLinker.gwt.xml
 to 
being with).
You could extend the CrossSiteIframeLinker (or DirectInstallLinker) and 
override some of the behavior (e.g. getJsComputeUrlForResource 
or getJsInstallLocation); see 
https://github.com/gwtproject/gwt/blob/master/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeLinker.java
 and 
the *.js scripts 
in 
https://github.com/gwtproject/gwt/tree/master/dev/core/src/com/google/gwt/core/ext/linker/impl

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/e43ea87f-6f58-4eca-8516-7b6aeeff9926%40googlegroups.com.

Re: Veracode detected 5 XSS issues in nocache.js

[Craig Mitchell]

I thought the .nocache.js file just did the loading of the cache.js 
files, and the user didn't have much control over what went in this file.  
If there was a security issue with how this file was generated, I imagine 
it would affect all GWT applications out there.
>
>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/017cb39a-5f8a-41f3-bd5b-caf2a2642520%40googlegroups.com.

Re: Veracode detected 5 XSS issues in nocache.js

[Nick Wilton]

I suggest you have a look at the OWASP website, it’s an excellent resource to 
understand this vulnerability and how to address it.

https://owasp.org/www-community/attacks/xss/

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/0A361879-B99C-4802-A73B-95D7C2EE6EB9%40guided.net.au.

Re: Veracode detected 5 XSS issues in nocache.js

[kaveri dusane]

Thanks Nick for your reply

I understand that the developer has to make sure that code is secured. But
as you have mentioned module.nocache.js is a build artifact so how do we
resolve/ address veracode issues identified in this file?

On Wed, Feb 19, 2020 at 1:35 AM Nick Wilton  wrote:

> module.nocache.js is a build artifact, created with GWT. Like all web
> technologies it’s up to the developer using GWT to ensure vulnerabilities
> like XSS are not introduced.
>
> There’s further information about avoiding the introduction of XSS
> vulnerabilities in GWT applications here:
>
> http://www.gwtproject.org/doc/latest/DevGuideSecuritySafeHtml.html
>
> On 19 Feb 2020, at 06:33, kaveri  wrote:
>
> Veracode has reported 5 places with error - improper neutralization of
> script related hrml tags in web page(basic xss) in module.nocache.js at
> line number 4, 10, 9 and 13
>
>
>
> Is there any fix to this issue or proper explanation to prove that code is
> secured
>
> --
> You received this message because you are subscribed to the Google Groups
> "GWT Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-web-toolkit+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/google-web-toolkit/49e6d69a-fc94-42e1-b70b-14a550044d03%40googlegroups.com
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "GWT Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-web-toolkit+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/google-web-toolkit/6A9B52B4-7575-4EEB-88CC-C9FFD75D9C9D%40guided.net.au
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/CA%2Bg1iwLU-UHuPBJS8POKNnxvrQZc0UcHQEErgZ%3DF1ZQ51n9j%2BA%40mail.gmail.com.

Re: Veracode detected 5 XSS issues in nocache.js

[Nick Wilton]

module.nocache.js is a build artifact, created with GWT. Like all web 
technologies it’s up to the developer using GWT to ensure vulnerabilities like 
XSS are not introduced.

There’s further information about avoiding the introduction of XSS 
vulnerabilities in GWT applications here:

http://www.gwtproject.org/doc/latest/DevGuideSecuritySafeHtml.html

> On 19 Feb 2020, at 06:33, kaveri  wrote:
> 
> Veracode has reported 5 places with error - improper neutralization of 
> script related hrml tags in web page(basic xss) in module.nocache.js at line 
> number 4, 10, 9 and 13
> 
> Is there any fix to this issue or proper explanation to prove that code is 
> secured
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "GWT Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to google-web-toolkit+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/google-web-toolkit/49e6d69a-fc94-42e1-b70b-14a550044d03%40googlegroups.com.

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/6A9B52B4-7575-4EEB-88CC-C9FFD75D9C9D%40guided.net.au.