Is this javascript code vulnerable to XSS

Question

I have a simple example.js file that that is included in a html <script src="example.js"></script>

'use strict';

function getURLParameter(name) {
  return new URLSearchParams(window.location.search).get(name)
}

function myFunction() {
    var myParam = '?my_param=' + getParam('my_param');
    $.ajax({
    cache: false,
    url: 'https://example.com' + clientParam,
    type: 'GET',
    [....]
}

Is the above javascript vulnerable to XSS ? I would have thought that var myParam = '?my_param=' + getParam('my_param') or even the part inside the avax call when doing the string concatenation would be but I can't break the string and the " gets replaced by '\"'

for example something as simple as this

https://mypage.com?my_param=test';alert(1);

I thought would replace var myParam = '?my_param=' + getParam('my_param'); by var myParam = '?my_param=test';alert(1);

score 2 · Accepted Answer · answered May 25 '22 at 09:05

2

No.

JavaScript does not execute strings returned from functions as if they were JS source code. They are just strings.

answered May 25 '22 at 09:05

Quentin

914,110
126
1,211
1,335

Is this javascript code vulnerable to XSS

1 Answers1