DOM-based cross-site scripting (DOM_XSS) issue found in angular.js in Coverity scan

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑

Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑
Hi Team - Request to provide solution to avoid below issue in Coverity scan.

Issue Details are as follows,

The property window.location.href is a source of untrusted data.

DOM-based cross-site scripting (DOM_XSS)2. sink: Calling urlResolve. This call uses window.location.href for sensitive computation. [show details]
     The untrusted data reaches a sink that can either lead to HTML injection, JavaScript code execution, or the manipulation of a URL starting with the "javascript:" or "data:" schemes. Any of these can lead to a DOM XSS vulnerability.

    HTML injection: Either escape properly the untrusted data or use a safe API to insert this data to the DOM; direct HTML manipulation as text should be avoided.
    JavaScript code execution: Validate any untrusted data against a whitelist so it's not possible for an attacker to have its supplied code executing.
    URL manipulation: Make sure the scheme is whitelisted and doesn't allow for the injection of a URL like: "data:text/html;,<img/src/onerror=alert(1)>".

var originUrl = urlResolve(window.location.href);

![dom](https://user-images.githubusercontent.com/64889341/84641792-32d3b580-af19-11ea-9f8c-7d02efdd1db6.PNG)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DOM-based cross-site scripting (DOM_XSS) issue found in angular.js in Coverity scan #17045

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

DOM-based cross-site scripting (DOM_XSS) issue found in angular.js in Coverity scan #17045

Description

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions