Link manipulation (DOM-based)
Hi all,
we use jquery-3.3.1.js in our application.
Burp scan found a Link manipulation (DOM-based) vulnerability in JQuery sources:
// Anchor tag for parsing the document origin
originAnchor = document.createElement( "a" );
originAnchor.href = location.href;
originAnchor = document.createElement( "a" );
originAnchor.href = location.href;
Data is read from
location.href
and passed to
the 'href' property of a DOM element
via the following statement:
originAnchor.href = location.href;
and one more place:
// Set the base href for the created document
// so any parsed elements with URLs
// are based on the document's URL (gh-2965)
base = context.createElement( "base" );
base.href = document.location.href;
context.head.appendChild( base );
} else {
context = document;
}
// so any parsed elements with URLs
// are based on the document's URL (gh-2965)
base = context.createElement( "base" );
base.href = document.location.href;
context.head.appendChild( base );
} else {
context = document;
}
Data is read from
document.location.href
and passed to
the 'href' property of a DOM element
via the following statement:
base.href = document.location.href;
Could someone tell me if these are real JQuery issues and bugs are needed or the findings are false positive?
Thanks,
Olga.
Topic Participants
olga.togidnyaya
jakecigar