+ Start a Discussion
Sathish VenkatSathish Venkat 

Cross-site script (XSS) vulnerability when accessing location.search

Hello,

There is a LiveChat sample given in the developer guide and we reused the same set of code as a PreChat page. The code is as follows
 
<!-- This script takes the endpoint URL parameter passed from the deployment 
      page and makes it the action for the form -->
    <script type="text/javascript">
    (function() { 
        function handlePageLoad() {
            var endpointMatcher = new RegExp("[\\?\\&]endpoint=([^&#]*)");
            document.getElementById('prechatForm').setAttribute('action',
            decodeURIComponent(endpointMatcher.exec(document.location.search)[1]));
        }
        if (window.addEventListener) {
            window.addEventListener('load', handlePageLoad, false);
        } else {
            window.attachEvent('onload', handlePageLoad, false);
        }
    })(); 
    function setName() {
            document.getElementById("windowName").value =  
                document.getElementById("firstName").value;
                return true;
            }
    </script>

But the static code analyzer tool gives an error saying Possible Cross-site script (XSS) vulnerability when accessing location.search. How do I fix this issue? The endpoint parameter returned in the URL is already in encoded format and a sample value is
 ?endpoint=https%3A%2F%2F45r.la3-c2cs-chi.salesforceliveagent.com%2Fcontent%2Fs%2Fchat%3Flanguage%3Den_US%23deployment_id%3Dxxxx%26org_id%3Dyyyy%26button_id%3Dzzzz%26session_id%3Daaaaaaa

which is equivalent to 

?endpoint=https://45r.la3-c2cs-chi.salesforceliveagent.com/content/s/chat?language=en_US#deployment_id=xxxx&org_id=yyyy&button_id=zzzz&session_id=aaaaaaa

Can you please let me know how to fix this code?
Anthony MartinezAnthony Martinez
Hey Sathish,

It looks like sanitizing the URL a bit before processing might do the trick here. you can get rid of any javascript in the URL by simply rempoving it using. (See Developer Guide (https://developer.salesforce.com/docs/atlas.en-us.live_agent_dev.meta/live_agent_dev/live_agent_pre_chat_forms_code_sample.htm))
.replace("javascript:", "")
I went ahead and modified your code a bit to do this.
<!-- This script takes the endpoint URL parameter passed from the deployment 
      page and makes it the action for the form -->
    <script type="text/javascript">
    (function() { 
        function handlePageLoad() {
            var endpointMatcher = new RegExp("[\\?\\&]endpoint=([^&#]*)");
            document.getElementById('prechatForm').setAttribute('action',
            decodeURIComponent(endpointMatcher.exec(document.location.search)[1].replace("javascript:", "")));
        }
        if (window.addEventListener) {
            window.addEventListener('load', handlePageLoad, false);
        } else {
            window.attachEvent('onload', handlePageLoad, false);
        }
    })(); 
    function setName() {
            document.getElementById("windowName").value =  
                document.getElementById("firstName").value;
                return true;
            }
    </script>

 
Charles ThompsonCharles Thompson
Stripping the endpoint parameter of Javascript is a good start, but what happens if someone introduces a link to a malicious URL in the endpoint parameter?
lavanya g 9lavanya g 9
Hi can anyone help meout to sole this  Cross-site script (XSS) vulnerability
var winSearch = decodeURIComponent(window.location.search).split("/");
        var winPath = decodeURIComponent(window.location.pathname).split("/");