Question about security questions #4987
Comments
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
@fbgranado can you provide additional details such as the build you performed your scan against? I tried using both minified and unminified versions of Prebid.js@3.5.0 and none of my line numbers are matching up with your line numbers. I tried to look into some by just searching the code base and most of them look like non-issues. As stated by your messages, it says that these values should be sanitized before being output but most of these values are never output so they don't require sanitization. Also, the type of sanitization necessary is dependent on the context they are output to so it's not something I can just provide a global fix for by adding generalized sanitization to our utils. If you can provide some direction into where you think code is being output to the page that needs to be sanitized that would be more helpful. Thanks. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
@snapwich, the build is an unminified from minified version. I attached it I agree with you about the output since we use the follwing:
|
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
Any status here? |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Type of issue
Security question
Description
Our server admin asks to change the following before host the prebid.min.js file.
Blockers
js/prebid.js#L111 : Data from JS global "window.location.search" may contain user-supplied values and should be sanitized before output to prevent XSS.
js/prebid.js#L156 : HTML string concatenation detected, this is a security risk, use DOM node construction or a templating language instead: t+.
js/prebid.js#L156 : HTML string concatenation detected, this is a security risk, use DOM node construction or a templating language instead: +'">'.
js/prebid.js#L285 : Data from JS global "window.location.protocol" may contain user-supplied values and should be sanitized before output to prevent XSS.
js/prebid.js#L285 : Data from JS global "window.location.hostname" may contain user-supplied values and should be sanitized before output to prevent XSS.
js/prebid.js#L285 : Data from JS global "window.location.port" may contain user-supplied values and should be sanitized before output to prevent XSS.
js/prebid.js#L285 : Data from JS global "window.location.port" may contain user-supplied values and should be sanitized before output to prevent XSS.
js/prebid.js#L489 : Data from JS global "window.location" may contain user-supplied values and should be sanitized before output to prevent XSS.
js/prebid.js#L2151 : Data from JS global "window.location.search" may contain user-supplied values and should be sanitized before output to prevent XSS.
js/prebid.js#L5170 : Data from JS global "window.location.host" may contain user-supplied values and should be sanitized before output to prevent XSS.
Warnings
js/prebid.js#L151 : Any HTML passed to write gets executed. Make sure it's properly escaped.
js/prebid.js#L4819 : Any HTML passed to write gets executed. Make sure it's properly escaped.
Platform details
Prebid version: 3.5.0
The text was updated successfully, but these errors were encountered: