window.location.href vulnerability

Question

In my application we are using window.location.href. Code snippet pasted below.

clearSelection : function() 
{
    $('#clearSelection').on('click', function(){
        var url = window.location.href;
        if(url.indexOf('/c/') > 0){
            var refineUrl = url.substring(0, url.indexOf('?')).concat('?text=defaultPage&display=allMaterials');
        }
        else if(url.indexOf('/search') > 0){
            var refineUrl = url.substring(0, url.indexOf('?')).concat('?text=').concat($('#textSearchValue').val());
        }
        window.location.href = refineUrl;
    });
}

Burp tool is showing this code is vulnerable. So my question is how it is vulnerable and what is good fix for this.

Your answer will be very much appreciated.

No idea why it gets flagged as insecure by Burp tool, since I never used it. But window.location.search refers to the query string part of the URL (the ? part) So maybe you could use that to make the code shorter and (maybe) more secure. — Shilly, Jul 13 '16 at 14:26
Possible duplicate of [Is it secure to use window.location.href directly without validation](http://stackoverflow.com/questions/24078332/is-it-secure-to-use-window-location-href-directly-without-validation) — t.niese, Jul 13 '16 at 14:27
Shilly - No this is not the part of query string and there is no query string parameter in the URL after ?. — Manoj Kumar, Jul 13 '16 at 14:36
this is probably flagging as a security vulnerability because you're constructing a url from user input? Burp tools aren't smart enough to know exactly how everything is used so it's probably a false positive — Adam Botley, Jul 13 '16 at 14:43
You're concatting the ?text=.... to the URL, Just wanted to point out you could go window.location.search = '?text=...' instead of the concat and replace href. — Shilly, Jul 13 '16 at 14:43

window.location.href vulnerability

0 Answers0