I'm not the strongest JS user, but I need it and wrote some code for my web page that works on Apache and PHP. In my ajax request I have the following code:
if (dataX['var1'] == '1.1' || dataX['var1'] == '2.1')
{
window.location.href = '<domain>'
}
If I use XSStrike to check for potential vulnerabilities on my system, I get messages that may be injectable.
Can someone help me fix it? Do I need like a freeze or something to fix it? Sorry, I don't know how an attacker can use this. Thanks for any helpful help. good luck.
What have I tried? I tried asking on that channel? !
P粉7390793182023-09-21 11:34:55
If <domain> can contain arbitrary unchecked strings, then if an attacker has previously successfully saved any string they wanted as "domain", they will gain access to your page scope . In this case, it's highly questionable what they could do except redirect to their server, since the code in <domain> won't be executed due to the page change.
I'm not sure about a location
window.location.href = '';executeSomethingNasty()Or just change the hash
window.location.href = window.location.href+'#stayonthepage';executeSomethingNasty()