how to protect location.href from cross site scripting in javascript?

tajMahal picture tajMahal · Aug 22, 2014 · Viewed 8.6k times · Source

Here in my javascript function im using location.href as follows location.href = "../Floder1/result.jsp"; it is working fine but when i used fortify tool it is showing Cross-site Scripting which can result in the browser executing malicious code. how to protect this from cross site scripting. Thank you very much,your answer will be very much appreciated.

Answer

SnakeDrak picture SnakeDrak · Aug 22, 2014

The Cross-site Scripting occurs when the user can put data in the webpage or get session data for example.

HOW PROTECT

You never allow inject code in your webpage. So, if you have a form, check it in the server and parse it before print in your page.

You shouldn't allow that the page content is changed by the href. You always escape the data before!.

Read this answer about location.href: https://stackoverflow.com/a/24089350/2389232

SAMPLE:

You have a iframe what changes with a GET variable:

sample.tld/index.jsp?iframe=none.jsp

I can inject a script to your iframe so you should protect it with escape characters:

// Escape the characters in the server and send it to the client.
// So the variable GET iframe will be valid