Merge pull request #35 from IanSkelskey/alert-autofix-14

Potential fix for code scanning alert no. 14: DOM text reinterpreted as HTML
IanSkelskey · Feb 23, 2025 · 23aa29c · 23aa29c
2 parents 50ef0e4 + 987a1e2
commit 23aa29c
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/Open-ILS/web/js/ui/default/opac/record_selectors.js b/Open-ILS/web/js/ui/default/opac/record_selectors.js
@@ -293,11 +293,20 @@
 
     if (do_basket_action_el) {
         do_basket_action_el.addEventListener('click', function(evt) {
-            if (select_action_el.options[select_action_el.selectedIndex].value) { 
-                window.location.href = select_action_el.options[select_action_el.selectedIndex].value;
+            var selectedValue = select_action_el.options[select_action_el.selectedIndex].value;
+            if (selectedValue && isValidUrl(selectedValue)) {
+                window.location.href = selectedValue;
             }
             evt.preventDefault();
         });
     }
 
+    function isValidUrl(url) {
+        var allowedUrls = [
+            // Add allowed URLs here
+            'https://example.com/page1',
+            'https://example.com/page2'
+        ];
+        return allowedUrls.includes(url);
+    }
 })();