Document Object Model (DOM) Cross-Site Scripting (XSS) vulnerability .js

Asked Aug 22 '17 at 13:31

Active Aug 23 '17 at 20:14

Viewed 452 times

I am not a javascript coder and have an issue. Apparently the code below uses location.href and document.write() without escaping the location.href source. This is causing a Document Object Model (DOM) Cross-Site Scripting (XSS) vulnerability. Any suggestions on how to fix?

if(!_STNS.bLoaded){
var s="";
for(var i in _STNS.oImgs){
if(_STNS.oImgs[i]!=2){
s+=_STNS.fsGetTag("div","style=\"display:none\"",_STNS.fsGetImgTag(i,-1,-1));
}

_STNS.oImgs[i]=2;
}

document.write(s);
}

},bIsIE:false,bIsMIE:false,bIsFX:false,bIsOP:false,bIsSF:false,bIsKQ:false,oNav:null,bRTL:false,sDocMd:null,sURL:window.location.href+"",sDIR:null,bLocal:false,fsGetDocMd:function(w){
var w=w||window;
switch(w.document.compatMode){
case "QuirksMode":
case "BackCompat":
return "quirks";
case "CSS1Compat":
return "css1";
default:
return document.compatMode;
}

edited Aug 23 '17 at 20:14

asked Aug 22 '17 at 13:31

sdmoel

1

Embedding obfuscated code from a third party is probably even worse.. – Jonas Wilms Aug 22 '17 at 13:37
there are some cool alternative to the `document.write()` https://stackoverflow.com/questions/4537963/what-are-alternatives-to-document-write – rockStar Aug 22 '17 at 13:37

Document Object Model (DOM) Cross-Site Scripting (XSS) vulnerability .js

0 Answers0