Versions of dojo
prior to 1.4.2 are vulnerable to DOM-based Cross-Site Scripting (XSS). The package does not sanitize URL parameters in the _testCommon.js
and runner.html
test files, allowing attackers to execute arbitrary JavaScript in the victim’s browser.
Upgrade to version 1.4.2 or later.