==========================================================Multiple DOM-Based XSS in Dojo Toolkit SDK
Public Release Date: 3/12/2010
Adam Bixby - Gotham Digital Science (firstname.lastname@example.org)
Affected Software: Dojo Toolkit SDK <= Build 1.4.1
Browser used for testing: IE8 (8.0.7600.16385)
More information on DOM-based XSS can be found at http://www.owasp.org/index.php/DOM_Based_XSS.
The vendor (Dojo Foundation) was notified of this issue on February 19, 2010. The vendor responded by releasing version 1.4.2 on March 12, 2010 and has also issued a security bulletin: http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/.
==========================================================2. Technical Details
1) Data enters via "theme" URL parameter through the window.location.href property.
var str = window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/);
2) The "theme" variable with user-controllable input is then passed into "themeCss" and "themeCssRtl" which is then passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
var themeCss = d.moduleUrl("dijit.themes",theme+"/"+theme+".css");
var themeCssRtl = d.moduleUrl("dijit.themes",theme+"/"+theme+"_rtl.css");
1) Data enters via "dojoUrl" or "testUrl" URL parameters through the window.location.search property.
var qstr = window.location.search.substr(1);
2) The "dojoUrl" and "testUrl" variables with user-controllable input are passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.