how to protect location.href from cross site scripting in javascript? - Stack Overflow

Here in my javascript function im using location.href as follows location.href = "../Floder1/result.jsp"; it is working fine but when i used fortify tool it is showing Cross-site Scripting which can result in the browser executing malicious code. how to protect this from cross site scripting. Thank you very much,your answer will be very much appreciated.

Here in my javascript function im using location.href as follows location.href = "../Floder1/result.jsp"; it is working fine but when i used fortify tool it is showing Cross-site Scripting which can result in the browser executing malicious code. how to protect this from cross site scripting. Thank you very much,your answer will be very much appreciated.

• javascript
• cross-site
• location-href
• fortify

Share Improve this question Follow edited Aug 22, 2014 at 6:46 tajMahal asked Aug 22, 2014 at 6:35 tajMahaltajMahal 41866 gold badges1818 silver badges4141 bronze badges 7

• where does the string that you are setting location.href e from? – kinakuta Commented Aug 22, 2014 at 6:40
• Assigning value to location.href is wrong way?if so guide me please. – tajMahal Commented Aug 22, 2014 at 6:40
• @Gabs00 ,flag does not do anything ,just for identification/validation i kept flag – tajMahal Commented Aug 22, 2014 at 6:42
• @kinakuta,String e from cookies i think. – tajMahal Commented Aug 22, 2014 at 6:43
• Can you provide more info on what exactly you are trying to achieve? The issue, and why you chose this solution – Gabs00 Commented Aug 22, 2014 at 6:45

 |  Show 2 more ments

2 Answers 2

Sorted by: Reset to default 1

This code should work only in firefox since Proxy isn't implemented in all browsers

What you can do is to replace the original location object with a proxied one where you add some logic to your proxy to check for allowed value for location. this will not protect against the direct modification of the original object (location) but if you use only the proxied object in your code you should be fine.

// suppose we are in example.
let validator = {
   set: function(obj, prop, val) {
     if (prop === 'href') {
       if(typeof val != 'string'){
         throw new TypeError('href must be string.');
       }
       if (!val.startsWith("https://example./")) {
         throw new Error('XSS');
       }
     }
    obj[prop] = val;
    return true;
   },
   get: function(obj, prop){
    return prop in obj?
        obj[prop] :
        null;
   }
};
let proxiedLocation = new Proxy(location, validator);
console.log(proxiedLocation.href);// work same as location.href
proxiedLocation.href = "https://example./page1";// work fine
proxiedLocation.href = "https://example/page1";// cause exception

The Cross-site Scripting occurs when the user can put data in the webpage or get session data for example.

HOW PROTECT

You never allow inject code in your webpage. So, if you have a form, check it in the server and parse it before print in your page.

You shouldn't allow that the page content is changed by the href. You always escape the data before!.

Read this answer about location.href: https://stackoverflow./a/24089350/2389232

SAMPLE:

You have a iframe what changes with a GET variable:

sample.tld/index.jsp?iframe=none.jsp

I can inject a script to your iframe so you should protect it with escape characters:

// Escape the characters in the server and send it to the client.
// So the variable GET iframe will be valid