Fortify Security Scan - High Finding: Cross-Site Scripting

remix-run / history

Manage session history with JavaScript

MIT License

8.28k stars 961 forks source link

Fortify Security Scan - High Finding: Cross-Site Scripting #881

Closed jstrong62 closed 3 years ago

jstrong62 commented 3 years ago

The following "High" finding was reporting by a Fortify security scan and needs remediation to pass a standard security scan.

Version 6.14.11 history/cjs/history.js

386: window.location.href = href;
399: window.location.href = href;

Details from Fortify:

The method lambda() in history.js sends unvalidated data to a web browser on line 386 & 399, which can result in the browser executing malicious code.

timdorr commented 3 years ago

This is a false positive. That isn't how that operates at all.