A redirect looks simple until it becomes an XSS hole.
The problem is not just navigation.
It is untrusted input,
unsafe schemes,
bad history behavior,
and code that keeps running after the redirect starts.
That is why redirects deserve a real helper:
validate the URL,
allow only safe protocols,
optionally restrict domains,
and choose assign or replace deliberately.
Small function.
Big difference.
Top comments (0)