Potential fix for code scanning alert no. 14: DOM text reinterpreted …

…as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
IanSkelskey · Feb 23, 2025 · 987a1e2 · 987a1e2
1 parent 50ef0e4
commit 987a1e2
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/Open-ILS/web/js/ui/default/opac/record_selectors.js b/Open-ILS/web/js/ui/default/opac/record_selectors.js
@@ -293,11 +293,20 @@
 
     if (do_basket_action_el) {
         do_basket_action_el.addEventListener('click', function(evt) {
-            if (select_action_el.options[select_action_el.selectedIndex].value) { 
-                window.location.href = select_action_el.options[select_action_el.selectedIndex].value;
+            var selectedValue = select_action_el.options[select_action_el.selectedIndex].value;
+            if (selectedValue && isValidUrl(selectedValue)) {
+                window.location.href = selectedValue;
             }
             evt.preventDefault();
         });
     }
 
+    function isValidUrl(url) {
+        var allowedUrls = [
+            // Add allowed URLs here
+            'https://example.com/page1',
+            'https://example.com/page2'
+        ];
+        return allowedUrls.includes(url);
+    }
 })();