An example of how this might occur is shown below. A JSP defines a JavaScript function called "gotoPreferences()", which causes the browser to re-navigate to a URL ("prefURL"). Note that prefURL is constructed dynamically by incorporating untrusted data -- the "category" parameter.
<script type="JavaScript">
function gotoPreferences()
{
var prefURL="https://www.server.com/prefs.jsp?category=" + <%= request.getParameter("category") %> + ";"
location.href=prefURL;
}
</script>
function gotoPreferences()
{
var prefURL="https://www.server.com/prefs.jsp?category=" + <%= request.getParameter("category") %> + ";"
location.href=prefURL;
}
</script>
To exploit XSS, an attacker might set the value of "category" to:
"";location.href="http://www.evilsite.com"
The resulting line in the HTML would then be:
var prefURL="https://www.server.com/prefs.jsp?category=" + "";location.href="http://www.evilsite.com";
When the function was called, the victim would be navigated to the attacker's site instead of the expected URL.