dojo is vulnerable to cross-site scripting. User input is not sanitized in the server response before being displayed on a user’s browser. An attacker is able to inject arbitrary Javascript into a victim’s browser through a crafted URL via the status
parameter.