Prevent using javascript in window.location

Question

Prevent using javascript in window.location

I have a page that redirects the URL from the query string parameters, for example:
<b> page.html? RedirectUrl = index.html
Inside the page, I have this code:
window.localtion.href = redirectUrl;
Requires the use of URL redirection by parameters. The page contains protected sensitive data. Someone can do url with javascript like:
<b> page.html redirectUrl = JavaScript :? Alert (. Document.getElementById ("password") value)
and protected data may be stolen.

How to prevent javascript crawl code in window.localtion.href?

+4

javascript xss window location

Slava Jan 08 '13 at 16:11

source share

2 answers

Alex w · Answer 1 · 2013-01-08T16:28:24+0000

This seems to work until you redirect it:

JavaScript:

var field = document.getElementById("redirectUrl"); var newValue = String(field.value); alert(newValue);

Basically, using the String constructor to "sanitize" the input.

This will probably help in other cases:

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

In general, I would recommend NOT using Javascript to sanitize input. If you process really sensitive or important data, you are strongly advised to use the server language to check and sanitize your input.

apsillers · Answer 2 · 2013-01-08T16:34:51+0000

You can try placing the URL in the binding element and checking the protocol:

 var anchor = document.createElement("a"); anchor.href = redirectUrl; if(anchor.protocol != "javascript:") { window.localtion.href = redirectUrl; }

However, I'm not sure how good browser support is for this, since MDN lists it as an HTML5 function.

Prevent using javascript in window.location

More articles: