HP Fortify issue, possible XSS vulerability?

Question

I am trying to understand what risk Fortify is seeing here. I am new to XSS work and I want to be sure before I decide this isn't a real issue. I can't see how a person could use this code for anything but messing up their own computer, so I am curious if I am missing something.

Here is the source text Fortify says that the line where window.location.href is being assigned is the vulnerability. "Unvalidated" data sent to browser.

    <c:if test="${isExternalUser}">
        <script type="text/javascript">
            $(function(){
                $('#logoutLink').on('click', function(){
                    var logoutUrl = window.appSettings.context + '/external/logout/';
                    $.get(logoutUrl).done(function(){
                        window.location.href = window.location.protocol + "//" + window.location.host + window.appSettings.context + "/?${ssw:encodeJS(header['policy-signout'])}";                 
                    });
                });
            });
        </script>
    </c:if>

As far as I can tell there is no risk here.

Answer 1

I can't see any risk.

The only unvalidated data external to the browser is

${ssw:encodeJS(header['policy-signout'])}

which is correctly being JS encoded. Maybe Fortify isn't picking up on this fact.

You could try splitting that line (as a test) just to make sure it is the encodejs that is not being recognised as executing JS encoding.

var policySignout = "${ssw:encodeJS(header['policy-signout'])}";

window.location.href = window.location.protocol + "//" + window.location.host + window.appSettings.context + "/?" + policySignout;