Hello, I am working on a legacy React codebase trying to refactor a webapp that has some XSS scripting vulnerabilities. The app gets built with webpack and then passed into Goja on the golang apps initialization.

I am trying to transform URL Search Params. My goal was to fetch the query parameters from the existing URL, do some checks, and then potentially transform the URL and force a redirect by setting window.location.

My first implementation made heavy use of URLSearchParams and the global window object. This didn't work when adding the code into goja with the error: ReferenceError: URLSearchParams is not defined

So, I tried a second implementation that didn't use URLSearchParams. But now, I get the following error: ReferenceError: window is not defined.

Do you have any recommendations on how to work around this whilst using Goja? Would this be a better use-case for the nodejs Goja? Optimally, I'd like to continue using Goja for less drift in the codebase.

Hi. I'm not exactly sure what you are trying to achieve, but window is part of the browser API, goja only implements the core ECMAScript specification.

In my situation, if the server responds with some html and a referer query parameters like: https://someurl.com/somerandompath?referer=javascript:prompt(document.domain);

The browser will execute the javascript on the RHS of that javascript in the URL. So, I tried writing javascript at the top of the scripts I feed into goja, to look for that "referer" query parameter and then remove it in certain cases. This guarantees that a user cannot feed javascript to be executed via the browser.

Both of my implementations I added to the javascript that gets passed through goja, uses parts of the browser/node API's - which gets rejected by goja with an error.

In a last ditch effort to solve this problem, I wanted to see if you had any other ideas to solve this. If not, no worries - thanks for your time and I'll close this out.

goja runs on server backend, it seems to me that you need Html parser can run in goja?
You could implement one using golang html parser and inject it into your vm?