JavaScript 文件中反映的 XSS 跨站脚本
XSS Cross Site Scripting Reflected in JavaScript file
我的JS文件有以下代码
function changeLanguage(newLang) {
var winLoc = String(this.window.location);
var pos = winLoc.indexOf("lang=");
var spacer = '?';
if(pos >0) {
var curLang = winLoc.substring(pos+5,pos+7);
winLoc = winLoc.replace('lang=' + curLang, 'lang='+newLang);
} else {
if(winLoc.indexOf("?") > 0) {
spacer = '&';
}
winLoc = winLoc + spacer + 'lang=' + newLang;
}
this.window.location = winLoc; //here is the issue
}
我在通过 HP Fortify 工具扫描代码时在突出显示的行遇到了 XSS 跨站点脚本问题。
我该怎么做才能使 HP Fortify 不将此视为漏洞?提前致谢
使用 location.assign 分配位置。它会在分配脚本之前将脚本的来源与所需的 url 进行比较。
来自 link 以上:
If the assignment can't happen because of a security violation, a DOMException of the SECURITY_ERROR type is thrown. This happens if the origin of the script calling the method is different from the origin of the page originally described by the Location object, mostly when the script is hosted on a different domain.
您还可以使用 location.replace 来防止当前页面保存在会话历史记录中。
我的JS文件有以下代码
function changeLanguage(newLang) {
var winLoc = String(this.window.location);
var pos = winLoc.indexOf("lang=");
var spacer = '?';
if(pos >0) {
var curLang = winLoc.substring(pos+5,pos+7);
winLoc = winLoc.replace('lang=' + curLang, 'lang='+newLang);
} else {
if(winLoc.indexOf("?") > 0) {
spacer = '&';
}
winLoc = winLoc + spacer + 'lang=' + newLang;
}
this.window.location = winLoc; //here is the issue
}
我在通过 HP Fortify 工具扫描代码时在突出显示的行遇到了 XSS 跨站点脚本问题。
我该怎么做才能使 HP Fortify 不将此视为漏洞?提前致谢
使用 location.assign 分配位置。它会在分配脚本之前将脚本的来源与所需的 url 进行比较。
来自 link 以上:
If the assignment can't happen because of a security violation, a
DOMExceptionof theSECURITY_ERRORtype is thrown. This happens if the origin of the script calling the method is different from the origin of the page originally described by theLocationobject, mostly when the script is hosted on a different domain.
您还可以使用 location.replace 来防止当前页面保存在会话历史记录中。