how to protect location.href from cross site scripting in javascript?
This code should work only in firefox since Proxy isn't implemented in all browsers
What you can do is to replace the original location
object with a proxied one where you add some logic to your proxy to check for allowed value for location. this will not protect against the direct modification of the original object (location
) but if you use only the proxied object in your code you should be fine.
// suppose we are in example.com
let validator = {
set: function(obj, prop, val) {
if (prop === 'href') {
if(typeof val != 'string'){
throw new TypeError('href must be string.');
}
if (!val.startsWith("https://example.com/")) {
throw new Error('XSS');
}
}
obj[prop] = val;
return true;
},
get: function(obj, prop){
return prop in obj?
obj[prop] :
null;
}
};
let proxiedLocation = new Proxy(location, validator);
console.log(proxiedLocation.href);// work same as location.href
proxiedLocation.href = "https://example.com/page1";// work fine
proxiedLocation.href = "https://example.net/page1";// cause exception
Comments
-
tajMahal almost 2 years
Here in my javascript function im using location.href as follows
location.href = "../Floder1/result.jsp";
it is working fine but when i used fortify tool it is showing Cross-site Scriptingwhich can result in the browser executing malicious code.
how to protect this from cross site scripting. Thank you very much,your answer will be very much appreciated. -
tajMahal over 9 years,how should i write condition for my current situation(question) to protect
-
tajMahal over 9 yearssnake,I'm not using any iframe in my code just i have this peace of code in my js function location.href = "../Floder1/result.jsp";
-
SnakeDrak over 9 yearsWhich is the problem? These
location.href
redirect to another page. It is not a vulnerability. If fortify tool says that these line is a XSS vulnerability it is wrong. Read this explain. -
SnakeDrak over 9 yearsIf it solves your problem mark it please :). Otherwise say me what you want to do. Regards!