Hello,

There is a LiveChat sample given in the developer guide and we reused the same set of code as a PreChat page. The code is as follows
 

<!-- This script takes the endpoint URL parameter passed from the deployment 
      page and makes it the action for the form -->
    <script type="text/javascript">
    (function() { 
        function handlePageLoad() {
            var endpointMatcher = new RegExp("[\\?\\&]endpoint=([^&#]*)");
            document.getElementById('prechatForm').setAttribute('action',
            decodeURIComponent(endpointMatcher.exec(document.location.search)[1]));
        }
        if (window.addEventListener) {
            window.addEventListener('load', handlePageLoad, false);
        } else {
            window.attachEvent('onload', handlePageLoad, false);
        }
    })(); 
    function setName() {
            document.getElementById("windowName").value =  
                document.getElementById("firstName").value;
                return true;
            }
    </script>

But the static code analyzer tool gives an error saying Possible Cross-site script (XSS) vulnerability when accessing location.search. How do I fix this issue? The endpoint parameter returned in the URL is already in encoded format and a sample value is
 ?endpoint=https%3A%2F%2F45r.la3-c2cs-chi.salesforceliveagent.com%2Fcontent%2Fs%2Fchat%3Flanguage%3Den_US%23deployment_id%3Dxxxx%26org_id%3Dyyyy%26button_id%3Dzzzz%26session_id%3Daaaaaaa

which is equivalent to 

?endpoint=https://45r.la3-c2cs-chi.salesforceliveagent.com/content/s/chat?language=en_US#deployment_id=xxxx&org_id=yyyy&button_id=zzzz&session_id=aaaaaaa

Can you please let me know how to fix this code?