Checkmarx fixes (SAP#2651)

core/src/core-api/routing.js

@@ -56,7 +56,7 @@ class LuigiRouting {
       RoutingHelpers.modifySearchParams(params, url.searchParams);
     }
 
-    this.handleBrowserHistory(keepBrowserHistory, url.href);
+    this.handleBrowserHistory(keepBrowserHistory, url);
     LuigiConfig.configChanged();
   }
 
@@ -74,11 +74,22 @@ class LuigiRouting {
       RoutingHelpers.modifySearchParams(params, url.searchParams, paramPrefix);
     }
 
-    this.handleBrowserHistory(keepBrowserHistory, url.href);
+    this.handleBrowserHistory(keepBrowserHistory, url);
     LuigiConfig.configChanged();
   }
 
-  handleBrowserHistory(keepBrowserHistory, href) {
+  sanitizeUrl(url) {
+    return new URL(location).origin === new URL(url).origin ? url : undefined;
+  }
+
+  handleBrowserHistory(keepBrowserHistory, url) {
+    const href = this.sanitizeUrl(url.href);
+
+    if (!href) {
+      console.warn('invalid url: ' + href);
+      return;
+    }
+
     if (keepBrowserHistory) {
       window.history.pushState({}, '', href);
     } else {
@@ -90,7 +101,7 @@ class LuigiRouting {
     const { hash } = new URL(location);
     const useHashRouting = LuigiConfig.getConfigValue('routing.useHashRouting');
 
-    return (useHashRouting && hash.split('#').length === 2) ? '' : hash.split('#').pop();
+    return useHashRouting && hash.split('#').length === 2 ? '' : hash.split('#').pop();
   }
 
   setAnchor(value) {

website/fiddle/public/examples/microfrontends/multipurpose.html

@@ -51,7 +51,7 @@ <h1 id="title">Multi purpose demo page</h1>
         } else {
           document.body.style.display = 'block';
           document.getElementById('title').innerHTML = route
-            ? `<h2>${route.replace('#/', '')}</h2>`
+            ? `<h2>${encodeURIComponent(route.replace('#/', ''))}</h2>`
             : '';
         }
       }