Possible Cross-site scripting DOM-based

[anthaeus]

The applicaiton version 3.7.2 may be vulnerable to DOM-based cross-site scripting. Data is read from window.location.hash and passed to $() via the following statements:

e=window.location.hash;
b_isTabHash(e)&&(e=b._getFromNiceHash(e),$('.tab-menu a[href\x3d'"+e'"]').tab("show"));

The exploitability of this issue might depend on the specific version of jQuery that is being used.

[Cyassin]

Can you highlight where in the code this is? I can't seem to find it.
Curious as my product team is assessing the risks of using this script.

[anthaeus]

Id like to but I dont remember which assesment on my side was it. Damn.. 2018-02-13 7:24 GMT+01:00 Cyassin <notifications@github.com>:

…

Can you highlight where in the code this is? I can't seem to find it. Curious as my product team is assessing the risks of using this script. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#212 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGzlZyCNocSsWszUhs-sVvwOK72fr-aGks5tUSqggaJpZM4OiZ8C> .

-- /* Pozdrawiam */