gpt4 book ai didi

javascript - VeraCode - 对 name() 的调用包含跨站点脚本 (XSS) 缺陷

转载 作者:太空宇宙 更新时间:2023-11-04 15:32:58 27 4
gpt4 key购买 nike

有人能解释一下为什么 VeraCode 似乎认为使用 name 作为公共(public)属性(property)是一个坏主意,并提出了一个好的缓解措施吗?

代码(JavaScript):

var BatchTask = (function () {
function BatchTask(batchOrTask, isBatch) {
if (isBatch) {
...
}
else {
var task = batchOrTask;
this.name = task.name; // flaw identified on this line
}
}
return BatchTask;
}());

缺陷:CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Attack Vector: name

Description: This call to name() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrustedinput, allowing an attacker to embed malicious content, such asJavascript code, which will be executed in the context of the victim'sbrowser. XSS vulnerabilities are commonly exploited to steal ormanipulate cookies, modify presentation of content, and compromiseconfidential information, with new attack vectors being discovered ona regular basis.

最佳答案

与 Veracode 协商后,他们确认这是漏报,并且是他们将调查的引擎中的错误。

关于javascript - VeraCode - 对 name() 的调用包含跨站点脚本 (XSS) 缺陷,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44650639/

27 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com