stackoom
  简体   繁体   中英

Broken link - “/a” in JQuery 1.9 Js file

 原文  2014-07-08 09:34:42       javascript/ jquery/ broken-links

Question

When we had done security audit of our project, we got broken Link "/a" vulnerability.

After searching for link throughout project we found link in JQuery-1.9.js java-script file that we are using in our project.

small part of code in that JQuery-1.9.js - 

// Make sure that URLs aren't manipulated
// (IE normalizes it by default)
hrefNormalized: a.getAttribute("href") === "/a",

As per my understanding this code part helps for making it(JQuery) compatible with IE 6/7/8. hrefNormalized is used to check that anchor tag is giving href value as full URL or exact href , which is issue in IE version. The better explanation of this part is given in https://www.inkling.com/read/jquery-cookbook-cody-lindley-1st/chapter-4/recipe-4-1

I want to remove this vulnerability but i don't want to remove or change code in JQuery js file.

So, My question is why did not JQuery designers used "/#" instead of "/a" .What is the problem of using "/#" in that code.

Earlier same question is asked by someone to JQuery Team,but they told that it not the problem from Jquery. For reference of that ticket http://bugs.jquery.com/ticket/10149

Help me to solve Or Is there another solution?

Thank you

2 answers

solution1
 3 ACCPTED  2014-07-08 09:59:09

This is not a vulnerability but a false positive. The security scanner interprets the "/a" string as a link, which it is not.

Even if jQuery creates the link in the DOM, it's not clickable or visible to the user. Your website does not actually have a real link to /a anywhere.

I would ignore the problem without changing anything.

solution2
 0  2014-07-08 09:47:14

Maybe, if you want this hrefNormalized: a.getAttribute("href") === "/a", to be transformed into this hrefNormalized: a.getAttribute("href") === "/#", but you don't want to touch the jQuery file. Put that second one in a script in a an order so that the browser reads your script after reading the jQuery file, so it mashes.

Anyway, I never had issues with jQuery before, check your code first.

If you don't want to have your views with scripts, put it in a js file and link this file to your view after the jQuery file.

Hope it helped you, or at least gave you some ideas to solve your problem. Good luck, let us know how it goes! ;)

EDIT: 

<script src="~/JQuery/jquery-2.0.3.js"></script>
   <script src="~/Scripts/Fix.js"></script>

If you do something like this, the browser reads first the jQuery, then it reads the Fix.js. Inside the Fix.js, you put the function or paramater you want to change from the jQuery.

So the Browser will get the latest one it reads if they are equal.

For example: 

function whatever (){   //This in jQuery file
  //things #1
}

function whatever (){   //This in Fix file
  //Different things #2
}

This way the browser chooses the Fix.js one, because was the last he read.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Delete iframes with broken link jquery Jquery 1.9, JS - function is not defined in Chrome How to link jquery to an external js file? picking jQuery 1.9 or 2.0 using JavaScript and Require.JS jquery.validate.1.9.js - validation ignoring things not listed in regex How can I link JQuery AND another JS file to my html? Toggle a js and css file in each click with Jquery on the same link JQuery Link to several different pages from one JS file sublimetext3 - broken js syntax in php file jQuery 1.9 .live() is not a function
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM