This is a migrated thread and some comments may be shown as answers.

RadAjaxNamespace.js - HP Fortify - Cross Site Scripting Issue

1 Answer 43 Views
Ajax
This is a migrated thread and some comments may be shown as answers.
Manish
Top achievements
Rank 1
Manish asked on 30 Aug 2013, 11:15 AM
I ran HP Fortify tool to check vulnerable code in application code base and found the security issue in RadAjaxNamespace.js file for Cross site scripting. The detail of the scan for vulnerable code is below. Please let us know how could we fix this issue as the method seems vulnerable to cross site scripting attacks.

Abstract:
The method l1b() in RadAjaxNamespace.js sends unvalidated data to a web browser
on line 1, which can result in the browser executing malicious code.
Source: RadAjaxNamespace.js:1 Read ~localScope.oe.responseText()
-1 ( function (){ob=25; if (typeof(window.RadAjaxNamespace)=="undefined" ||
typeof(window.RadAjaxNamespace.Version)=="\x75\x6e\x64efin\x65\x64" ||
window.RadAjaxNamespace.Version<ob){window.RadAjaxNamespace=
{Version:ob,IsAsyncResponse: false ,LoadingPanels:{} ,ExistingScripts:{} ,IsInRequest:
false ,MaxRequestQueueSize: 5 } ; var AjaxNS=window.RadAjaxNamespace;
AjaxNS.EventManager= {Ob:null,lb:function (){try {if (this.Ob==null){ this.Ob=[];
AjaxNS.EventManager.Add(window,"\165nload",this.ib); }}c...
0 if (typeof(Sys) != "undefined"){if (Sys.Application != null &&
Sys.Application.notifyScriptLoaded != null){Sys.Application.notifyScriptLoaded();}}

1 Answer, 1 is accepted

Sort by
0
Antonio Stoilkov
Telerik team
answered on 04 Sep 2013, 06:39 AM
Hi Manish,

Could you provide more information on the product version that you are using? RadControls in its current state does not distribute RadAjaxNamspace.js file. Could you confirm there is security issue in the current available distribution of RadControls?

Regards,
Antonio Stoilkov
Telerik
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.
Tags
Ajax
Asked by
Manish
Top achievements
Rank 1
Answers by
Antonio Stoilkov
Telerik team
Share this question
or