HPFortify XSS vulnerability

[TheRedeemed]

Hi,

We are using useHistory() from the react-router-dom in our project. Our code was flagged for XSS vulnerability by HPFortify. The following line "window.location.href = href;" seems to be the problem.
This line is in the function push(path, state) which is in createBrowserHistory(props). I'm assuming this is coming from the history package.

Could you please comment on this issue? If there will be a fix, it will be helpful to know a tentative date for the fix?

Regards,

[gauravshah27]

Hi,

I have been facing the same issue from the push function. There are 2 places within the push function that use "window.location.href=href". Here is the code snippet from history.js that is causing an issue:

if (canUseHistory) {
    globalHistory.pushState({
         key: key,
         state: state
     }, null, href);

     if (forceRefresh) {
          window.location.href = href;
      } else {
          var prevIndex = allKeys.indexOf(history.location.key);
          var nextKeys = allKeys.slice(0, prevIndex + 1);
          nextKeys.push(location.key);
          allKeys = nextKeys;
          setState({
            action: action,
            location: location
          });
      }
} else {
     warning(state === undefined, 'Browser history cannot push state in browsers that do not support HTML5 history');
      window.location.href = href;
}

I have gone through my code and confirmed that we are not passing the forceRefresh prop and all the browsers that I am using support HTML5 history api which would result in canUseHistory being true and so the outer else block code never executes.

What is the recommended solution for this? Is there an update in the works that will address this issue that we are facing?

[TheRedeemed]

@gauravshahhere I ended up doing the same thing that you did and marked it as a non issue.