From 987a1e286eef3a868c284fad93785ec7408744bb Mon Sep 17 00:00:00 2001
From: Ian Skelskey <46094112+IanSkelskey@users.noreply.github.com>
Date: Sun, 23 Feb 2025 14:27:04 -0500
Subject: [PATCH] Potential fix for code scanning alert no. 14: DOM text
 reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 Open-ILS/web/js/ui/default/opac/record_selectors.js | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/Open-ILS/web/js/ui/default/opac/record_selectors.js b/Open-ILS/web/js/ui/default/opac/record_selectors.js
index f89d0046c3..53ef1ea662 100644
--- a/Open-ILS/web/js/ui/default/opac/record_selectors.js
+++ b/Open-ILS/web/js/ui/default/opac/record_selectors.js
@@ -293,11 +293,20 @@
 
     if (do_basket_action_el) {
         do_basket_action_el.addEventListener('click', function(evt) {
-            if (select_action_el.options[select_action_el.selectedIndex].value) { 
-                window.location.href = select_action_el.options[select_action_el.selectedIndex].value;
+            var selectedValue = select_action_el.options[select_action_el.selectedIndex].value;
+            if (selectedValue && isValidUrl(selectedValue)) {
+                window.location.href = selectedValue;
             }
             evt.preventDefault();
         });
     }
 
+    function isValidUrl(url) {
+        var allowedUrls = [
+            // Add allowed URLs here
+            'https://example.com/page1',
+            'https://example.com/page2'
+        ];
+        return allowedUrls.includes(url);
+    }
 })();