I was asked to correct an XSS vulnerability on an old site web, using jsp and javascript.

On a "Return" button, I would put a "backURL" parameter as a href, to be able to go back to the previous page I was on.

Previously, my javascript code was in the HTML page, which would make it exploitable by replacing the parameter with a script.

I came up with 2 "Solutions" and I wanted to ask if they were valid.

First, I would encode the URL when getting the parameter in the javascript function, using this library: https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

Here's the code in my jsp file:

<a class="float_left button" href="#" onclick="goback(this)" >Retour</a>

Then right under it, in the same file:

<script type="text/javascript">
 function goback(domEle) {
        var backUrl = "${e:forHtml(param.backUrl)}";
        domEle.href= decodeEntity(backUrl);
    }

    function decodeEntity(str){
       return str.replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">");
    }

But then, I thought that it would maybe work to just put this javascript in another file, doing like this:

JSP file:

<a class="float_left button" href="#" onclick="goback(this,'${param.backUrl}')" >Retour</a>

javascript file:

function goback(domEle,backUrl) {
        domEle.href= backUrl;
    }

From my tests, both seem to work. But I wanted to know if it was really completely XSS proof, and if it is which one is the best way to do.

Thanks in advance !