Fix XSS in goToHome

x1ddos · x1ddos · commit 3dd749c678a9 · 2015-12-07T19:51:41.000Z
diff --git a/google-codelab.html b/google-codelab.html
@@ -427,6 +427,7 @@ <h2>Would you like to resume where you left off?</h2>
       },
 
       _goToHome: function () {
+        // extract 'index' search param
         var index;
         var parts = location.search.substring(1).split('&');
         for (var i = 0; i < parts.length; i++) {
@@ -436,13 +437,15 @@ <h2>Would you like to resume where you left off?</h2>
             break;
           }
         }
-
-        var returnToIndex = index ? decodeURIComponent(index) : index;
-        if (!returnToIndex || returnToIndex.slice(-6) === '/index') {
-          returnToIndex = '/';
+        // decode and extract index name from the search param
+        // default index is 'index'
+        index = index ? decodeURIComponent(index) : '';
+        index = index.replace(/[^a-z0-9\-]+/ig, '');
+        if (index === 'index') {
+          index = '';
         }
-
-        window.location.href = returnToIndex;
+        // navigate away to the index page
+        window.location.href = '/' + index;
       },
 
       _tocItemClass: function(selected, i) {
