7

Here in my javascript function im using location.href as follows location.href = "../Floder1/result.jsp"; it is working fine but when i used fortify tool it is showing Cross-site Scripting which can result in the browser executing malicious code. how to protect this from cross site scripting. Thank you very much,your answer will be very much appreciated.

Improve this question
7
  • where does the string that you are setting location.href come from? Commented Aug 22, 2014 at 6:40
  • Assigning value to location.href is wrong way?if so guide me please. Commented Aug 22, 2014 at 6:40
  • @Gabs00 ,flag does not do anything ,just for identification/validation i kept flag Commented Aug 22, 2014 at 6:42
  • @kinakuta,String come from cookies i think. Commented Aug 22, 2014 at 6:43
  • Can you provide more info on what exactly you are trying to achieve? The issue, and why you chose this solution Commented Aug 22, 2014 at 6:45

2 Answers 2

Reset to default
1

This code should work only in firefox since Proxy isn't implemented in all browsers

What you can do is to replace the original location object with a proxied one where you add some logic to your proxy to check for allowed value for location. this will not protect against the direct modification of the original object (location) but if you use only the proxied object in your code you should be fine.

// suppose we are in example.com
let validator = {
   set: function(obj, prop, val) {
     if (prop === 'href') {
       if(typeof val != 'string'){
         throw new TypeError('href must be string.');
       }
       if (!val.startsWith("https://example.com/")) {
         throw new Error('XSS');
       }
     }
    obj[prop] = val;
    return true;
   },
   get: function(obj, prop){
    return prop in obj?
        obj[prop] :
        null;
   }
};
let proxiedLocation = new Proxy(location, validator);
console.log(proxiedLocation.href);// work same as location.href
proxiedLocation.href = "https://example.com/page1";// work fine
proxiedLocation.href = "https://example.net/page1";// cause exception
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The Cross-site Scripting occurs when the user can put data in the webpage or get session data for example.

HOW PROTECT

You never allow inject code in your webpage. So, if you have a form, check it in the server and parse it before print in your page.

You shouldn't allow that the page content is changed by the href. You always escape the data before!.

Read this answer about location.href: https://stackoverflow.com/a/24089350/2389232

SAMPLE:

You have a iframe what changes with a GET variable:

sample.tld/index.jsp?iframe=none.jsp

I can inject a script to your iframe so you should protect it with escape characters:

// Escape the characters in the server and send it to the client.
// So the variable GET iframe will be valid
Improve this answer

4 Comments

,how should i write condition for my current situation(question) to protect
snake,I'm not using any iframe in my code just i have this peace of code in my js function location.href = "../Floder1/result.jsp";
Which is the problem? These location.href redirect to another page. It is not a vulnerability. If fortify tool says that these line is a XSS vulnerability it is wrong. Read this explain.
If it solves your problem mark it please :). Otherwise say me what you want to do. Regards!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.