Warning: file_get_contents(/data/phpspider/zhask/data//catemap/3/gwt/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Javascript Dojo.js有未验证的数据_Javascript_Security_Dojo_Fortify_Phishing - Fatal编程技术网
Fatal编程技术网
  • javascript/
  • Javascript Dojo.js有未验证的数据

Javascript Dojo.js有未验证的数据

javascript security dojo

Javascript Dojo.js有未验证的数据,javascript,security,dojo,fortify,phishing,Javascript,Security,Dojo,Fortify,Phishing,我正在使用一个供应商创建的电子学习课程(我们不再与之打交道),当我通过公司的安全软件(HP Fortify Scan)上传文件时,我收到了多个错误。除了一个错误外,我已经纠正了所有的错误。错误在dojo.js文件中,它与未验证的url变量有关。我相信这是一个简单的解决办法,但有人能解释一下是什么原因使这一点无法验证吗?我如何验证这个url变量 下面是错误消息的屏幕截图和代码(我将行号放在注释中): 代码: 提前感谢, Mike我想说这不一定是个错误,只是HP Fortify Scan指出了do

我正在使用一个供应商创建的电子学习课程(我们不再与之打交道),当我通过公司的安全软件(HP Fortify Scan)上传文件时,我收到了多个错误。除了一个错误外,我已经纠正了所有的错误。错误在dojo.js文件中,它与未验证的
url
变量有关。我相信这是一个简单的解决办法,但有人能解释一下是什么原因使这一点无法验证吗?我如何验证这个
url
变量

下面是错误消息的屏幕截图和代码(我将行号放在注释中):

代码:

提前感谢,

Mike

我想说这不一定是个错误,只是HP Fortify Scan指出了dojo/request/xhr.js中的一段代码,可能需要您注意,以防您的服务器代码没有准备好应对此类攻击。。。您可以在应用程序(可能在应用商店)中调用xhr()的更高级别代码中验证url,但不确定这是否满足HP Fortify的要求

function xhr(url, options, returnDeferred){
    var response = util.parseArgs(
        url,
        util.deepCreate(defaultOptions, options),
        has('native-formdata') && options && options.data && options.data instanceof FormData
    );
    // THIS IS LINE 11540
    url = response.url; 
    options = response.options;

    var remover,
        last = function(){
            remover && remover();
        };

    //Make the Deferred object for this xhr request.
    var dfd = util.deferred(
        response,
        cancel,
        isValid,
        isReady,
        handleResponse,
        last
    );
    var _xhr = response.xhr = xhr._create();

    if(!_xhr){
        // If XHR factory somehow returns nothings,
        // cancel the deferred.
        dfd.cancel(new RequestError('XHR was not created'));
        return returnDeferred ? dfd : dfd.promise;
    }

    response.getHeader = function(headerName){
        return this.xhr.getResponseHeader(headerName);
    };

    if(addListeners){
        remover = addListeners(_xhr, dfd, response);
    }

    var data = options.data,
        async = !options.sync,
        method = options.method;

    try{
        // IE6 won't let you call apply() on the native function.
        // THIS IS LINE 11580
        _xhr.open(method, url, async, options.user || undefined, options.password || undefined);

        if(options.withCredentials){
            _xhr.withCredentials = options.withCredentials;
        }

        var headers = options.headers,
            contentType;
        if(headers){
            for(var hdr in headers){
                if(hdr.toLowerCase() === 'content-type'){
                    contentType = headers[hdr];
                }else if(headers[hdr]){
                    //Only add header if it has a value. This allows for instance, skipping
                    //insertion of X-Requested-With by specifying empty value.
                    _xhr.setRequestHeader(hdr, headers[hdr]);
                }
            }
        }

        if(contentType && contentType !== false){
            _xhr.setRequestHeader('Content-Type', contentType);
        }
        if(!headers || !('X-Requested-With' in headers)){
            _xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
        }

        if(util.notify){
            util.notify.emit('send', response, dfd.promise.cancel);
        }
        _xhr.send(data);
    }catch(e){
        dfd.reject(e);
    }

    watch(dfd);
    _xhr = null;

    return returnDeferred ? dfd : dfd.promise;
}