rspec/rules/S5146/javascript/how-to-fix-it/express.adoc

=== How to fix it in Express.js

include::../../common/fix/code-rationale.adoc[]

==== Non-compliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
server.get('/redirect', (request, response) => {
   
   response.redirect(request.query.url); // Noncompliant
});
----

==== Compliant solution

[source,javascript,diff-id=1,diff-type=compliant]
----
server.get('/redirect', (request, response) => {

   if (request.query.url.startsWith("https://www.example.com/")) { 
      response.redirect(request.query.url);
   }
});
----

include::../../common/fix/how-does-this-work.adoc[]

=== Pitfalls

include::../../common/pitfalls/starts-with.adoc[]
Modify S5146(multiple languages): Update to the education framework (APPSEC-185) (#1330) 2022-10-24 11:45:06 +02:00			`=== How to fix it in Express.js`

			`include::../../common/fix/code-rationale.adoc[]`

			`==== Non-compliant code example`

			`[source,javascript,diff-id=1,diff-type=noncompliant]`
			`----`
			`server.get('/redirect', (request, response) => {`

			`response.redirect(request.query.url); // Noncompliant`
			`});`
			`----`

			`==== Compliant solution`

			`[source,javascript,diff-id=1,diff-type=compliant]`
			`----`
			`server.get('/redirect', (request, response) => {`

			`if (request.query.url.startsWith("https://www.example.com/")) {`
			`response.redirect(request.query.url);`
			`}`
			`});`
			`----`

			`include::../../common/fix/how-does-this-work.adoc[]`

			`=== Pitfalls`

			`include::../../common/pitfalls/starts-with.adoc[]`