rafaelfranca
commented
7 years ago This is not vulnerable to XSS because the value of location.href is not used to print any element in the DOM. It is in fact used in a security features that is to compare if a request is cross domain or not.
We ran Burp Suite security scanner through our code base and it identifies a vulnerability in turbolinks gem.
Here's the line that may cause script injection:
https://github.com/rails/jquery-ujs/blob/a4da3b4909b2ca081de3c6f99064403623bfe1fb/src/rails.js#L188
The tool recommends to escape location.href variable to prevent script injection. Something like:
htmlEncode = function(value) { return $('< div />').text(value).html(); }
Would this be a vulnerability or is it already addressed?