Why this matters
Open redirects allow attackers to manipulate URLs and redirect users to malicious sites. Always validate and restrict redirection URLs to trusted domains.
Ensure that URLs used in redirection are properly validated and restricted to trusted domains. Open redirects can be exploited to redirect users to malicious sites.
Open redirects allow attackers to manipulate URLs and redirect users to malicious sites. Always validate and restrict redirection URLs to trusted domains.
Side-by-side examples engineers can pattern-match during review.
const queryParams = new URLSearchParams(document.location.search);
const redirectUrl = queryParams.get("url");
document.location = redirectUrl; // Noncompliant
const queryParams = new URLSearchParams(document.location.search);
const redirectUrl = queryParams.get("url");
if (redirectUrl.startsWith("https://www.example.com/")) {
document.location = redirectUrl;
}const queryParams = new URLSearchParams(document.location.search);
const redirectUrl = queryParams.get("url");
document.location = redirectUrl; // Noncompliant
const queryParams = new URLSearchParams(document.location.search);
const redirectUrl = queryParams.get("url");
if (redirectUrl.startsWith("https://www.example.com/")) {
document.location = redirectUrl;
}From the same buckets as this rule.