I was asked to correct an XSS vulnerability on an old site web, using jsp and javascript.
On a "Return" button, I would put a "backURL" parameter as a href, to be able to go back to the previous page I was on.
Previously, my javascript code was in the HTML page, which would make it exploitable by replacing the parameter with a script.
I came up with 2 "Solutions" and I wanted to ask if they were valid.
First, I would encode the URL when getting the parameter in the javascript function, using this library: https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
Here's the code in my jsp file:
<a class="float_left button" href="#" onclick="goback(this)" >Retour</a>
Then right under it, in the same file:
<script type="text/javascript">
function goback(domEle) {
var backUrl = "${e:forHtml(param.backUrl)}";
domEle.href= decodeEntity(backUrl);
}
function decodeEntity(str){
return str.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">");
}
But then, I thought that it would maybe work to just put this javascript in another file, doing like this:
JSP file:
<a class="float_left button" href="#" onclick="goback(this,'${param.backUrl}')" >Retour</a>
javascript file:
function goback(domEle,backUrl) {
domEle.href= backUrl;
}
From my tests, both seem to work. But I wanted to know if it was really completely XSS proof, and if it is which one is the best way to do.
Thanks in advance !