In a webapp we are trying to solve an Open Redirect vulnerability.

The code is like this:

window.location.href = DOMPurify.sanitize(data.href);

Which apparently is vulnerable. One recommended solution is to hardcode the http-host:

window.location.href = `${DOMPurify.sanitize(data.href)}`;

Problem: the webapp is deployed on serveral hosts, with different hostnames. We tried a few options:

• get hostname using new URL(window.location.href) --> vulnerable
• get hostname using new URL(window.location.href), check if in allow-list --> vulnerable
• set hostname hardcoded in html-template --> vulnerable

We are running Snyk to test, and it keeps giving errors. Any clues? et