Cross site scripting when using windows.location.href

Question

I am using Windows.location.href=URl to navigate to MVC controller method from java script. I want to avoid any XSS attack when redirecting. what should i do

You probably mean `window`. What value does your URI contain? User input? — ssc-hrep3, Jan 28 '19 at 08:37

score 2 · Answer 1 · answered Jan 28 '19 at 09:07

2

You can write your own XSS sanitising function

function encodeHTML(s) {
    return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;');
}

window.location.href = encodeHTML(URI);

answered Jan 28 '19 at 09:07

Abhisar Tripathi

1,569
10
21

score -1 · Answer 2 · answered Jan 28 '19 at 09:17

It should be very easy. I have ready made solution for you. First of all some theoritical understanding

RULE #0 - Never Insert Untrusted Data Except in Allowed Locations

<script>...NEVER PUT UNTRUSTED DATA HERE...</script>   directly in a script

<style>...NEVER PUT UNTRUSTED DATA HERE...</style>   directly in CSS

RULE #1 - HTML and JavaScript Escape Before Inserting Untrusted Data into HTML Element Content

HTML ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE... JS

<script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script>     inside a quoted string

Escaping as in

& --> &amp;
 < --> &lt;
 > --> &gt;
 " --> &quot;
 ' --> &#x27;     &apos; not recommended because its not in the HTML spec (See: section 24.4.1) &apos; is in the XML and XHTML specs.
 / --> &#x2F;     forward s

lash is included as it helps end an HTML entity

Ensure returned Content-Type header is application/json and not text/html.

Coming to the coding portion

Following would help you

private String killXSS(String value) {
        if (value != null) {
            // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
            // avoid encoded attacks.
            // value = ESAPI.encoder().canonicalize(value);

            // Avoid null characters
            value = value.replaceAll("", "");

            // Avoid anything between script tags
            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid anything in a src='...' type of expression
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Remove any lonesome </script> tag
            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Remove any lonesome <script ...> tag
            scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid eval(...) expressions
            scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid expression(...) expressions
            scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid javascript:... expressions
            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid vbscript:... expressions
            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid onload= expressions
            scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
        }
        return value;
    }

Make sure every request you are sending to server is stripped through above mentioned code and you will never be victim of XSS.

Optimally you should sanitize the data BEFORE injecting it anywhere in the output. This GUARANTEES your security. — Xiddoc, Jun 13 '21 at 09:17
@Xiddoc well in the answer same sanitisation is done. We have two type of sanitisation per my understanding. 1 per business rule specific and 2 per the industry standards. Answer provided was referred by OWASP site when given. — Kunal Vohra, Jun 15 '21 at 14:22
And per the reference of original question, mentioned things done would suffice the job — Kunal Vohra, Jun 15 '21 at 14:23
Check [this](https://stackoverflow.com/a/54398564/11985743) for OWASP standards — Xiddoc, Jun 15 '21 at 14:56
Well I disagree. Please refer OWASP site and not a reference to another answer. — Kunal Vohra, Jun 15 '21 at 15:01

Cross site scripting when using windows.location.href

2 Answers2