ISC_DataBinding.js displays an XSS warning when the application is deployed on
the standard 80 port number.
This is due to the fact the the Javascript compares a port number value
undefined with the window.location.port which is an empty value:
isc.A.isLocalURL=function isc_c_RPCManager_isLocalURL(_1){
var
_2=this.$59w(_1),_3=_2[0],_4=_2[1];return(_3=="localhost"||_3==this.getWindow().
location.hostname)&&_4==this.getWindow().location.port
}
there should be an additional check that considers undefined value equal to
empty string
(_4==this.getWindow().location.port || (_4==undefined &&
this.getWindow().location.port == ''))
What steps will reproduce the problem?
1. Deploy an application on default port 80 (http://youhost/myapp
2. the home page of your app should contain a ListGrid with a datasource using
a dataURL such as GWT.getModuleBaseURL() + "/datasource?action=xyz"
3. Accessing your app should display the warning
4. Deploy the same app on port 8080 for example
5. Accessing you app should no more display the warning
Original issue reported on code.google.com by eric.laf...@gmail.com on 21 Oct 2010 at 1:42
Original issue reported on code.google.com by
eric.laf...@gmail.com
on 21 Oct 2010 at 1:42