[Javascript] Is there a Cross-Site Scripting: DOM in dhtmlHistory.js

Thusitha Thilina Dayaratne thusithathilina at gmail.com
Wed Sep 30 02:43:15 EDT 2015

I'm a newbie to the js. In one of the project that I'm working depend on
dhtmlHistory.js. As I understand this js library use to track the history
and bookmarking related functionalities mainly in the IE. And this library
is seems to be dead too. When do a fortify security scan there exist some

> var initialHash = this.getCurrentLocation();
> if (this.isInternetExplorer()) {
>          document.write("<iframe style='border: 0px; width: 1px; "
>                                + "height: 1px; position: absolute; bottom:
> 0px; "
>                                + "right: 0px; visibility: visible;' "
>                                + "name='DhtmlHistoryFrame'
> id='DhtmlHistoryFrame' "
>                                + "src='blank.html?" + initialHash + "'>"
>                                + "</iframe>");
>          // wait 400 milliseconds between history
>          // updates on IE, versus 200 on Firefox
>          this.WAIT_TIME = 400;
>       }

Here initialHash value that get pass to the src is not validated one. Is
this a actual risk?

Is there a way for me to find whether I can get rid of this y. Since almost
all modern browsers are capable of handling those stuffs without a help of
a 3rd party dependency at present?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.obscure.org/pipermail/javascript/attachments/20150930/e795023f/attachment.html 

More information about the Javascript mailing list