1

I have this message from Checkmarx:

The application's = embeds untrusted data in the generated output with location, at line 19 of ****.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

It is shown below code:

    const url = (window.location.href || '');
    const newHref = url.replace('parameter=12', '');
    if (newHref !== url) {
      window.location.href = newHref;
    } else {
      window.location.reload();
    }

I used sanitizeHtml and JSON.stringify const url = window.location.href || '', but neither helped correct the problem. How is it possible to correct this type of error?

Reis
  • 576
  • 1
  • 5
  • 18
  • Hi, try to read your question as you don't know the case. I'm confused. The quotes from Checkmarx mentioned **line 19**, but you gave us **line 22/25**. Also, we can't understand your code, what the relation between the lines and what is `newHref` is? – baruchiro Jul 27 '22 at 05:38
  • See what a good question looks like: https://stackoverflow.com/questions/73129064/how-to-avoid-path-traversal-issue-in-python-3-6. Quate the full Checkmarx message, and share all the relevant code. – baruchiro Jul 27 '22 at 05:41
  • In the report itself it says 19 but showing code snippet of 22 and 25. I updated the snippet to give more meaning. – Reis Jul 27 '22 at 13:33
  • Have you tried using `const url = new URL(window.location.href);`? Then use that to manipulate the URL. – juliomalves Jul 29 '22 at 20:14

0 Answers0