Is it safe to use window.location.href directly without checking

Question

Is it safe to use window.location.href directly without checking

Is it safe to use window.location.href without any validation?

For instance:

<script>
    var value = window.location.href;
    alert(value);
</script>

From the example above, is it vulnerable to cross-site scripting (XSS) attack? If so, how? How can an attacker change the value of window.location.href into malicious content?

Change (second situation)

This is the URL: www.example.com?url=www.attack.com

Just suppose I have a getQueryString () function that will return a value without checking.

<script> 
    var value = getQueryString('url'); 
    window.location.href = value; 
</script>

The same question is, is it vulnerable to cross-site scripting (XSS) attack? If so, how? How can an attacker use "window.location.href = value" to execute XSS?

+10

javascript security href window.location xss

overshadow 06 . '14 9:21

3

XSS # 1

, - (, , Ebay Amazon), , - , - "Amazon/Ebay free stuff for http://haxor.site" URL- -.

, - URL .

EDIT: №1, , , "# 2"

+1

Jhuliano Moreno 06 . '14 15:46

var value = getQueryString('url'); 

window.location.href = encodeURI(value);

,

0

wushang 10 . '18 7:36

source share

jupenur · Accepted Answer · 2014-06-06T19:31:10+0000

location.href :

location.href, , , .
location.href, URL-.

, , . location.href - , . , , eval, . , location.href URL-, . , , . .

-, . , , , XSS, - URI javascript: vbscript:.

: location.href:

, foo. , . foo location.href, ? , , URI, . ; value "https://www.google.com/", Google. !

, , URI, . URI , , , . #quux. location.href , "quux" . URI , .

: javascript: vbscript: URI. , . URI JavaScript VBScript URI, -. , ? , . foo: , , URI script. location.href, eval script.

JavaScript URI , VBScript - IE , quirks.

, URI: URI . URI : , URI. , HTML-. , , .

URI origin. , HTML, URI , - . Firefox.

Firefox URI , . URI , . , , . XSS .

Is it safe to use window.location.href directly without checking

More articles: