our enterprise security scanner reported a cross-site scripting vulnerability for the AjaxUploader. What it was able to do was modify the UploadOK() handler script to include a textarea and more scripting:
<script type='text/javascript'>if(window.parent.CurrentUpload)window.parent.CurrentUpload.UploadOK('""'></SCRIPT></TITLE></TEXTAREA>'""></XSS/*-*/STYLE=xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert(2431)})>','95c88ae3-3f1a-447e-af75-71f8c9c8cb46')</script>
Could you tell me how I could address this vulnerability? I have Microsoft's AntiXss library, which includes a JavaScriptEncode() method which can be called on the server side, but I don't know how to access the script in question.
thanks,
Pete