1

I have a javascript tab library I've been using that's always been fine, but with our recent upgrade of Fortify, we're getting a critical error on the window.location section of the code (edit, should have mentioned that this is the original code, before being modified):

var b=window.location.href;

Our first modification was:

var b = (escape(window.location.href.toString()));

When that failed, we found and tried the following:

var b = (encodeID(window.location.href.toString()));

function encodeID(s) {
    if (s==='') return '_';
    return s.replace(/[^a-zA-Z0-9.-]/g, function(match) {
    return '_'+match[0].charCodeAt(0).toString(16)+'_';
    });
}

but another run of Fortify still throws the critical error. Also tried:

var b=encodeURIComponent(window.location.href);

Still critical.
Anyone have any thoughts on getting it to pass?

Carlos Mendieta
  • 860
  • 16
  • 41
  • take a look at that [answer](http://stackoverflow.com/a/24089350/3293044) – beta-developper Feb 22 '17 at 17:51
  • I've read today that but I guess I don't understand. It says Option 1 is safe. The original code in the library has var b=window.location.href; that should be safe, but that goes critical, too. I'm not assigning the address it goes to and other than the user clicking the tab, they have no other input options. I understand that someone could copy the address from a window and use a passed parameter to do ill; however, I don't understand how to fix it. All of my attempts above have met with critical errors. – Carlos Mendieta Feb 22 '17 at 17:57

1 Answers1

1

@Carlos Mendieta I agree with you. I think Fortify is wrongly reporting an issue here. You are not assigning a value to the window.location.href you are simply setting the value in a variable. There is a discussion on the security stack exchange security stack exchange: JS code giving xss vulnerability that essentially argues the same. I would see if you can tune Fortify to not report on this item.

Community
  • 1
  • 1
M. Rizzo
  • 1,611
  • 12
  • 24
  • Appreciate the input. i'll give that site a looksee. I wish we could fine-tune Fortify ourselves, but unfortunately we don't run that server and those guys.. ugh. Thanks again. – Carlos Mendieta Feb 22 '17 at 19:22