function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
chaithaly gowdachaithaly gowda 

Fixing XSS issues : window.location.href ='{!$Currentpage.parameters.retURL}

Hi

I was trying to fix all the issues with XSS in my vf page ,and found this line inside <script> tag
 window.location.href ='{!$Currentpage.parameters.retURL}
SO, my question is does it needs to be encoded like  window.location.href ='{!JSENCODE($Currentpage.parameters.retURL)} ?????
 Please provide me the explanation for better understanding..

Thanks
AnudeepAnudeep (Salesforce Developers) 
Based on the example given in the documentation, to prevent JavaScript from being executed, the JSENCODE function is used
<script>var ret = "{!JSENCODE($CurrentPage.parameters.retURL)}";</script>

As far as I know, it should not be used in your case