Here in my javascript function im using location.href as follows
location.href = "../Floder1/result.jsp";
it is working fine but when i used fortify tool it is showing Cross-site Scripting which can result in the browser executing malicious code.
how to protect this from cross site scripting. Thank you very much,your answer will be very much appreciated.
The Cross-site Scripting occurs when the user can put data in the webpage or get session data for example.
HOW PROTECT
You never allow inject code in your webpage. So, if you have a form, check it in the server and parse it before print in your page.
You shouldn't allow that the page content is changed by the href
. You always escape
the data before!.
Read this answer about location.href
: https://stackoverflow.com/a/24089350/2389232
SAMPLE:
You have a iframe what changes with a GET variable:
sample.tld/index.jsp?iframe=none.jsp
I can inject a script
to your iframe so you should protect it with escape characters:
// Escape the characters in the server and send it to the client.
// So the variable GET iframe will be valid