window.location.href 的安全修复 [英] Security fix for window.location.href

查看:446
本文介绍了window.location.href 的安全修复的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有下面的js代码

var a = window.location.href.substring(0,window.location.href.lastIndex('/')+1) + "logout.jsp";

setTimeout(function(){
      window.location.href = a;
},1000);

当我对上述文件运行强化扫描时,它在动态代码评估:代码注入的上述行中显示出安全风险.现在我无法理解如何修复它.我是否需要为 window.href 添加任何编码器或如何解决此问题.另外,如果我们有 encode ,我需要做什么.

When I am running a fortify scan for the above file, it is showing a security risk on the above line with Dynamic Code Evaluation :Code Injection. Now I am not able to understand on how to fix it. Do I need to add any encoder for window.href or how to resolve this. Also if we have encode , what I need to do.

推荐答案

如果我理解正确的逻辑,您是在尝试获取没有页面名称的 url 路径,然后您打算重定向到它.

If I understand the logic correctly, you are trying to get the path of the url without the page name, and then you intend to redirect to it.

如果这是正确的,您也许可以使用它来工作,

If that is correct, you might be able to get it to work using,

var a = "logout.jsp";

setTimeout(function(){
      window.location.href = a;
},1000);

原则上应该消除漏洞,但我不确定该工具是否检测到任何其他漏洞.

It should in principal get rid of the vulnerability, but I am not fully sure if the tool detects any other vulnerability in it.

这篇关于window.location.href 的安全修复的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆