You need to sign in to do that
Don't have an account?
Sathish Venkat
Cross-site script (XSS) vulnerability when accessing location.search
Hello,
There is a LiveChat sample given in the developer guide and we reused the same set of code as a PreChat page. The code is as follows
But the static code analyzer tool gives an error saying Possible Cross-site script (XSS) vulnerability when accessing location.search. How do I fix this issue? The endpoint parameter returned in the URL is already in encoded format and a sample value is
?endpoint=https%3A%2F%2F45r.la3-c2cs-chi.salesforceliveagent.com%2Fcontent%2Fs%2Fchat%3Flanguage%3Den_US%23deployment_id%3Dxxxx%26org_id%3Dyyyy%26button_id%3Dzzzz%26session_id%3Daaaaaaa
which is equivalent to
?endpoint=https://45r.la3-c2cs-chi.salesforceliveagent.com/content/s/chat?language=en_US#deployment_id=xxxx&org_id=yyyy&button_id=zzzz&session_id=aaaaaaa
Can you please let me know how to fix this code?
There is a LiveChat sample given in the developer guide and we reused the same set of code as a PreChat page. The code is as follows
<!-- This script takes the endpoint URL parameter passed from the deployment page and makes it the action for the form --> <script type="text/javascript"> (function() { function handlePageLoad() { var endpointMatcher = new RegExp("[\\?\\&]endpoint=([^&#]*)"); document.getElementById('prechatForm').setAttribute('action', decodeURIComponent(endpointMatcher.exec(document.location.search)[1])); } if (window.addEventListener) { window.addEventListener('load', handlePageLoad, false); } else { window.attachEvent('onload', handlePageLoad, false); } })(); function setName() { document.getElementById("windowName").value = document.getElementById("firstName").value; return true; } </script>
But the static code analyzer tool gives an error saying Possible Cross-site script (XSS) vulnerability when accessing location.search. How do I fix this issue? The endpoint parameter returned in the URL is already in encoded format and a sample value is
?endpoint=https%3A%2F%2F45r.la3-c2cs-chi.salesforceliveagent.com%2Fcontent%2Fs%2Fchat%3Flanguage%3Den_US%23deployment_id%3Dxxxx%26org_id%3Dyyyy%26button_id%3Dzzzz%26session_id%3Daaaaaaa
which is equivalent to
?endpoint=https://45r.la3-c2cs-chi.salesforceliveagent.com/content/s/chat?language=en_US#deployment_id=xxxx&org_id=yyyy&button_id=zzzz&session_id=aaaaaaa
Can you please let me know how to fix this code?
It looks like sanitizing the URL a bit before processing might do the trick here. you can get rid of any javascript in the URL by simply rempoving it using. (See Developer Guide (https://developer.salesforce.com/docs/atlas.en-us.live_agent_dev.meta/live_agent_dev/live_agent_pre_chat_forms_code_sample.htm)) I went ahead and modified your code a bit to do this.
var winSearch = decodeURIComponent(window.location.search).split("/");
var winPath = decodeURIComponent(window.location.pathname).split("/");