Fortify SCA: Code Injection . #554
Comments
|
The latest release ( version: 4.2.2) still has this issue being reported by Fortify... anyone make any progress? |
|
I'm not sure what code scan you're referring to. Can you provide more information on the vulnerability? |
|
i tried to get some more information about the code scan report. There is the issue founded by Fortify: jquery.form.js, line 781 (Dynamic Code Evaluation: Code Injection) Source: jquery.form.js:812 Read xhr.responseXML() 810` var ct = xhr.getResponseHeader('content-type') || '', Sink: jquery.form.js:781 setTimeout() |
|
This sounds the same as #464 |
|
Would you please open a pull request to make the needed changes and update/create relevant tests? |
Bug BountyWe have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/ We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚 Automatically generated by @huntr-helper... |
|
Seems same as #580 Official report: https://app.snyk.io/vuln/SNYK-JS-JQUERYFORM-574783 |
Please review Instructions for Reporting a Bug.
Description:
I have no idea about whether it has been fixed in later versions. but the code scan is not passed.
Expected Behavior:
Actual behavior:
Source: jquery.form.js:812 Read xhr.responseXML()
810 var ct = xhr.getResponseHeader('content-type') || '',
811 xml = type === 'xml' || !type && ct.indexOf('xml') >= 0,
812 data = xml ? xhr.responseXML : xhr.responseText;
813
814 if (xml && data.documentElement.nodeName === 'parsererror') {
Sink: jquery.form.js:781 setTimeout() 779
780 // clean up
781 setTimeout(function() {
782 if (!s.iframeTarget) {
783 $io.remove();
Versions:
jqform:3.51
The text was updated successfully, but these errors were encountered: