XSS Cross Site Scripting Reflected in JavaScript file

Question

My JS file has the following code

function changeLanguage(newLang) {
    var winLoc = String(this.window.location);
    var pos = winLoc.indexOf("lang=");
    var spacer = '?';
    if(pos >0) {
        var curLang = winLoc.substring(pos+5,pos+7);
        winLoc = winLoc.replace('lang=' + curLang, 'lang='+newLang);

    } else {
        if(winLoc.indexOf("?") > 0) {
            spacer = '&';
        }

        winLoc = winLoc + spacer + 'lang=' + newLang;
    }

    this.window.location = winLoc;  //here is the issue


}

I am encountering XSS Cross Site Scripting issue at the highlighted line when scanning the code through HP Fortify Tool.

what can I do here so that HP Fortify doesn't treat this as a vulnerability? Thanks in advance

Answer 1

Assign location using location.assign . It compares origin of your script with desired url before it's assigned.
From link above:

If the assignment can't happen because of a security violation, a DOMException of the SECURITY_ERROR type is thrown. This happens if the origin of the script calling the method is different from the origin of the page originally described by the Location object, mostly when the script is hosted on a different domain.

You can also use location.replace to prevent current page from being saved in session History.