- DOM-based Cross Site Scripting Vulnerability
Class: Data Validation Severity:Medium Difficulty: Medium
TARGETS:
• …/dhtmlxGrid/codebase/dhtmlxcommon.js
- Line 195:Unsafe client output calling this.xmlDoc.setRequestHeader() with tainted arg
- Line 195:String concatenation with user-controlled value
- Line 195:String concatenation with user-controlled value
- Line 195:“navigator.userAgent” is controlled by the user
Can you please have a look and consider replacing line 195 with:
this.xmlDoc.setRequestHeader(“User-Agent”, “dhtmlxRPC v0.1 (”+encodeURI(navigator.userAgent)+")");
Thank you.