RadAjaxNamespace.js - HP Fortify - Cross Site Scripting Issue

2 posts, 0 answers
  1. Manish
    Manish  avatar
    1 posts
    Member since:
    Feb 2011

    Posted 30 Aug 2013 Link to this post

    I ran HP Fortify tool to check vulnerable code in application code base and found the security issue in RadAjaxNamespace.js file for Cross site scripting. The detail of the scan for vulnerable code is below. Please let us know how could we fix this issue as the method seems vulnerable to cross site scripting attacks.

    The method l1b() in RadAjaxNamespace.js sends unvalidated data to a web browser
    on line 1, which can result in the browser executing malicious code.
    Source: RadAjaxNamespace.js:1 Read ~localScope.oe.responseText()
    -1 ( function (){ob=25; if (typeof(window.RadAjaxNamespace)=="undefined" ||
    typeof(window.RadAjaxNamespace.Version)=="\x75\x6e\x64efin\x65\x64" ||
    {Version:ob,IsAsyncResponse: false ,LoadingPanels:{} ,ExistingScripts:{} ,IsInRequest:
    false ,MaxRequestQueueSize: 5 } ; var AjaxNS=window.RadAjaxNamespace;
    AjaxNS.EventManager= {Ob:null,lb:function (){try {if (this.Ob==null){ this.Ob=[];
    AjaxNS.EventManager.Add(window,"\165nload",this.ib); }}c...
    0 if (typeof(Sys) != "undefined"){if (Sys.Application != null &&
    Sys.Application.notifyScriptLoaded != null){Sys.Application.notifyScriptLoaded();}}
  2. Antonio Stoilkov
    Antonio Stoilkov avatar
    530 posts

    Posted 04 Sep 2013 Link to this post

    Hi Manish,

    Could you provide more information on the product version that you are using? RadControls in its current state does not distribute RadAjaxNamspace.js file. Could you confirm there is security issue in the current available distribution of RadControls?

    Antonio Stoilkov
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.
Back to Top