Cross-Scripting Vulnerability?

Hi there.

Site: https://fantasy-books.live
Latest Pro and Wordpress versions.

Problem: I’m worried over the warnings I receive when I use Pro.

cs-vendor.js?ver=3.0.4:7407 WARNING: Binding style attributes may introduce cross-site scripting vulnerabilities; please ensure that values being bound are properly escaped. For more information, including how to disable this warning, see http://emberjs.com/deprecations/v1.x/#toc_binding-style-attributes.
logWarning @ cs-vendor.js?ver=3.0.4:7407
HANDLERS.(anonymous function) @ cs-vendor.js?ver=3.0.4:7065
invoke @ cs-vendor.js?ver=3.0.4:7081
warn @ cs-vendor.js?ver=3.0.4:7458
warn @ cs-vendor.js?ver=3.0.4:19243
deprecateEscapedStyle @ cs-vendor.js?ver=3.0.4:14212
proto.willSetContent @ cs-vendor.js?ver=3.0.4:14227
AttrMorph.setContent @ cs-vendor.js?ver=3.0.4:47505
attribute @ cs-vendor.js?ver=3.0.4:45932
attribute @ cs-vendor.js?ver=3.0.4:46271
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46653
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:47213
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
Block._firstRender @ cs-vendor.js?ver=3.0.4:47210
Block.invoke @ cs-vendor.js?ver=3.0.4:47188
ComponentNodeManager_render_instrument @ cs-vendor.js?ver=3.0.4:14379
instrument @ cs-vendor.js?ver=3.0.4:16720
ComponentNodeManager_render @ cs-vendor.js?ver=3.0.4:14371
componentHook @ cs-vendor.js?ver=3.0.4:10751
handleRedirect @ cs-vendor.js?ver=3.0.4:45545
block @ cs-vendor.js?ver=3.0.4:45517
block @ cs-vendor.js?ver=3.0.4:46215
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46645
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:45149
ifUnless @ cs-vendor.js?ver=3.0.4:10359
ifHelper @ cs-vendor.js?ver=3.0.4:10330
compute @ cs-vendor.js?ver=3.0.4:15085
value @ cs-vendor.js?ver=3.0.4:15710
invokeHelper @ cs-vendor.js?ver=3.0.4:11240
(anonymous) @ cs-vendor.js?ver=3.0.4:45527
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
hostBlock @ cs-vendor.js?ver=3.0.4:45533
continueBlock @ cs-vendor.js?ver=3.0.4:45525
block @ cs-vendor.js?ver=3.0.4:45521
block @ cs-vendor.js?ver=3.0.4:46215
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46645
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:47213
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
Block._firstRender @ cs-vendor.js?ver=3.0.4:47210
Block.invoke @ cs-vendor.js?ver=3.0.4:47188
yieldKeyword @ cs-vendor.js?ver=3.0.4:14134
handleKeyword @ cs-vendor.js?ver=3.0.4:45570
handleRedirect @ cs-vendor.js?ver=3.0.4:45556
inline @ cs-vendor.js?ver=3.0.4:45699
content @ cs-vendor.js?ver=3.0.4:46235
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46649
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:47213
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
Block._firstRender @ cs-vendor.js?ver=3.0.4:47210
Block.invoke @ cs-vendor.js?ver=3.0.4:47188
yieldKeyword @ cs-vendor.js?ver=3.0.4:14134
handleKeyword @ cs-vendor.js?ver=3.0.4:45570
handleRedirect @ cs-vendor.js?ver=3.0.4:45556
inline @ cs-vendor.js?ver=3.0.4:45699
content @ cs-vendor.js?ver=3.0.4:46235
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46649
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:47213
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
Block._firstRender @ cs-vendor.js?ver=3.0.4:47210
Block.invoke @ cs-vendor.js?ver=3.0.4:47188
ComponentNodeManager_render_instrument @ cs-vendor.js?ver=3.0.4:14379
instrument @ cs-vendor.js?ver=3.0.4:16720
ComponentNodeManager_render @ cs-vendor.js?ver=3.0.4:14371
componentHook @ cs-vendor.js?ver=3.0.4:10751
handleRedirect @ cs-vendor.js?ver=3.0.4:45545
block @ cs-vendor.js?ver=3.0.4:45517
block @ cs-vendor.js?ver=3.0.4:46215
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46645
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:45149
(anonymous) @ cs-vendor.js?ver=3.0.4:45256
(anonymous) @ cs-vendor.js?ver=3.0.4:10214
forEach @ cs-vendor.js?ver=3.0.4:10222
eachHelper @ cs-vendor.js?ver=3.0.4:10211
compute @ cs-vendor.js?ver=3.0.4:15085
value @ cs-vendor.js?ver=3.0.4:15710
invokeHelper @ cs-vendor.js?ver=3.0.4:11240
(anonymous) @ cs-vendor.js?ver=3.0.4:45527
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
hostBlock @ cs-vendor.js?ver=3.0.4:45533
continueBlock @ cs-vendor.js?ver=3.0.4:45525
block @ cs-vendor.js?ver=3.0.4:45521
block @ cs-vendor.js?ver=3.0.4:46215
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46645
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:47213
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
Block._firstRender @ cs-vendor.js?ver=3.0.4:47210
Block.invoke @ cs-vendor.js?ver=3.0.4:47188
yieldKeyword @ cs-vendor.js?ver=3.0.4:14134
handleKeyword @ cs-vendor.js?ver=3.0.4:45570
handleRedirect @ cs-vendor.js?ver=3.0.4:45556
inline @ cs-vendor.js?ver=3.0.4:45699
content @ cs-vendor.js?ver=3.0.4:46235
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46649
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:47213
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
Block._firstRender @ cs-vendor.js?ver=3.0.4:47210
Block.invoke @ cs-vendor.js?ver=3.0.4:47188
yieldKeyword @ cs-vendor.js?ver=3.0.4:14134
handleKeyword @ cs-vendor.js?ver=3.0.4:45570
handleRedirect @ cs-vendor.js?ver=3.0.4:45556
inline @ cs-vendor.js?ver=3.0.4:45699
content @ cs-vendor.js?ver=3.0.4:46235
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46649
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:47213
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
Block._firstRender @ cs-vendor.js?ver=3.0.4:47210
Block.invoke @ cs-vendor.js?ver=3.0.4:47188
ComponentNodeManager_render_instrument @ cs-vendor.js?ver=3.0.4:14379
instrument @ cs-vendor.js?ver=3.0.4:16720
ComponentNodeManager_render @ cs-vendor.js?ver=3.0.4:14371
componentHook @ cs-vendor.js?ver=3.0.4:10751
handleRedirect @ cs-vendor.js?ver=3.0.4:45545
block @ cs-vendor.js?ver=3.0.4:45517
block @ cs-vendor.js?ver=3.0.4:46215
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46645
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:47213
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
Block._firstRender @ cs-vendor.js?ver=3.0.4:47210
Block.invoke @ cs-vendor.js?ver=3.0.4:47188
yieldKeyword @ cs-vendor.js?ver=3.0.4:14134
handleKeyword @ cs-vendor.js?ver=3.0.4:45570
handleRedirect @ cs-vendor.js?ver=3.0.4:45556
inline @ cs-vendor.js?ver=3.0.4:45699
content @ cs-vendor.js?ver=3.0.4:46235
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46649
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:47213
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
Block._firstRender @ cs-vendor.js?ver=3.0.4:47210
Block.invoke @ cs-vendor.js?ver=3.0.4:47188
ComponentNodeManager_render_instrument @ cs-vendor.js?ver=3.0.4:14379
instrument @ cs-vendor.js?ver=3.0.4:16720
ComponentNodeManager_render @ cs-vendor.js?ver=3.0.4:14371
componentHook @ cs-vendor.js?ver=3.0.4:10751
handleRedirect @ cs-vendor.js?ver=3.0.4:45545
inline @ cs-vendor.js?ver=3.0.4:45699
inline @ cs-vendor.js?ver=3.0.4:46226
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46647
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:47213
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
Block._firstRender @ cs-vendor.js?ver=3.0.4:47210
Block.invoke @ cs-vendor.js?ver=3.0.4:47188
yieldKeyword @ cs-vendor.js?ver=3.0.4:14134
handleKeyword @ cs-vendor.js?ver=3.0.4:45570
handleRedirect @ cs-vendor.js?ver=3.0.4:45556
inline @ cs-vendor.js?ver=3.0.4:45699
content @ cs-vendor.js?ver=3.0.4:46235
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46649
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:47213
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
Block._firstRender @ cs-vendor.js?ver=3.0.4:47210
Block.invoke @ cs-vendor.js?ver=3.0.4:47188
ComponentNodeManager_render_instrument @ cs-vendor.js?ver=3.0.4:14379
instrument @ cs-vendor.js?ver=3.0.4:16720
ComponentNodeManager_render @ cs-vendor.js?ver=3.0.4:14371
componentHook @ cs-vendor.js?ver=3.0.4:10751
handleRedirect @ cs-vendor.js?ver=3.0.4:45545
inline @ cs-vendor.js?ver=3.0.4:45699
inline @ cs-vendor.js?ver=3.0.4:46226
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46647
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:47213
renderAndCleanup @ cs-vendor.js?ver=3.0.4:47248
Block._firstRender @ cs-vendor.js?ver=3.0.4:47210
Block.invoke @ cs-vendor.js?ver=3.0.4:47188
yieldKeyword @ cs-vendor.js?ver=3.0.4:14134
handleKeyword @ cs-vendor.js?ver=3.0.4:45570
handleRedirect @ cs-vendor.js?ver=3.0.4:45556
inline @ cs-vendor.js?ver=3.0.4:45699
content @ cs-vendor.js?ver=3.0.4:46235
RenderResult.populateNodes @ cs-vendor.js?ver=3.0.4:46649
RenderResult.render @ cs-vendor.js?ver=3.0.4:46582
render @ cs-vendor.js?ver=3.0.4:46391
(anonymous) @ cs-vendor.js?ver=3.0.4:47213
XMLHttpRequest.send (async)
send @ jquery.js?ver=1.12.4:4
ajax @ jquery.js?ver=1.12.4:4
submitRequest @ cs.js?ver=3.0.4:67889
(anonymous) @ cs.js?ver=3.0.4:67698
initializePromise @ cs-vendor.js?ver=3.0.4:51311
Promise @ cs-vendor.js?ver=3.0.4:52906
promise @ cs.js?ver=3.0.4:67697
requestBatch @ cs.js?ver=3.0.4:67721
run @ cs-vendor.js?ver=3.0.4:639
(anonymous) @ cs-vendor.js?ver=3.0.4:941
setTimeout (async)
debounce @ cs-vendor.js?ver=3.0.4:939
run.debounce @ cs-vendor.js?ver=3.0.4:24619
(anonymous) @ cs.js?ver=3.0.4:67668
initializePromise @ cs-vendor.js?ver=3.0.4:51311
Promise @ cs-vendor.js?ver=3.0.4:52906
request @ cs.js?ver=3.0.4:67657
modelRequest @ cs.js?ver=3.0.4:67651
(anonymous) @ cs.js?ver=3.0.4:49
initializePromise @ cs-vendor.js?ver=3.0.4:51311
Promise @ cs-vendor.js?ver=3.0.4:52906
_request @ cs.js?ver=3.0.4:48
findRecord @ cs.js?ver=3.0.4:31
_find @ cs-vendor.js?ver=3.0.4:160222
fetchRecord @ cs-vendor.js?ver=3.0.4:158395
_fetchRecord @ cs-vendor.js?ver=3.0.4:158456
_flushPendingFetchForType @ cs-vendor.js?ver=3.0.4:158502
cb @ cs-vendor.js?ver=3.0.4:21274
forEach @ cs-vendor.js?ver=3.0.4:21079
forEach @ cs-vendor.js?ver=3.0.4:21282
flushAllPendingFetches @ cs-vendor.js?ver=3.0.4:158445
invoke @ cs-vendor.js?ver=3.0.4:1335
flush @ cs-vendor.js?ver=3.0.4:1399
flush @ cs-vendor.js?ver=3.0.4:1207
end @ cs-vendor.js?ver=3.0.4:521
run @ cs-vendor.js?ver=3.0.4:643
join @ cs-vendor.js?ver=3.0.4:663
run.join @ cs-vendor.js?ver=3.0.4:24110
(anonymous) @ cs-vendor.js?ver=3.0.4:24173
i @ jquery.js?ver=1.12.4:2
fireWith @ jquery.js?ver=1.12.4:2
ready @ jquery.js?ver=1.12.4:2
K @ jquery.js?ver=1.12.4:2

Hi There,

Thanks for writing in! Are you experiencing any issues while editing pages or loading the page builder ?

Also make sure to purge your server cache and also make sure that you’re fully updated. You can see the latest version numbers from here (https://theme.co/apex/forum/t/troubleshooting-version-compatibility/195).

Let us know how it goes.
Thanks!

Hi there. I’m properly updated.

It’s something I’ve noticed before. But now that I am building a new site, with security as a major goal, it does lead me to play cautious.

That error only shows in the browser when I open the page builders.

As for any problems loading the page builder, there are times when I get the error message. That is once in a while. The one that says it may be a conflict or caching? Except I have build with no other plugins or caching and it has happened.

I figured it was normal though as a refresh usually takes care of it.

But just in case, is it possible for cs-vendor.js to be reviewed for the binding style attributes?

Thanks.

Hi J,

I understand you are talking about the warning message you see in the browser console. Actually, it is the ember related warning while using the Page Builder and it is not there in the front end of the website.

Unfortunately, it is virtually not possible to be able to get rid of those warnings in the page builder unless we do a huge code refactor. But I assure that those are not security risks and especially they are under the admin section and not the front end and it is not possible to access to those files unless the proper authentication is done by WordPress.

Having said that we always do our best to improve the code especially in such cases and we will inform our developers about your concern you will see improvements in upcoming releases.

Thank you for your understanding.

Thanks for updating me!