Fixed #8549 - Navigate to URL cross-site scripting attack (#8550)

Co-authored-by: tsv2013 <[email protected]>

src/utils/utils.ts

@@ -157,7 +157,7 @@ function scrollElementByChildId(id: string) {
 function navigateToUrl(url: string): void {
   const location = DomWindowHelper.getLocation();
   if (!url || !location) return;
-  location.href = url;
+  location.href = encodeURIComponent(url);
 }
 
 function wrapUrlForBackgroundImage(url: string): string {

tests/surveytests.ts

@@ -65,6 +65,7 @@ import { defaultV2Css } from "../src/defaultCss/defaultV2Css";
 import { StylesManager } from "../src/stylesmanager";
 import { ITheme } from "../src/themes";
 import { Cover } from "../src/header";
+import { DomWindowHelper } from "../src/global_variables_utils";
 
 export default QUnit.module("Survey");
 
@@ -20125,3 +20126,21 @@ QUnit.test("Delete panel with questions", (assert) => {
   assert.notOk(survey.getPanelByName("panel1"), "#5");
   assert.notOk(survey.getQuestionByName("question1"), "#6");
 });
+
+QUnit.test("survey navigateToUrl encode url", function (assert) {
+  var survey = new SurveyModel({
+    questions: [
+      {
+        type: "text",
+        name: "q1",
+      }
+    ],
+    "navigateToUrl": "javascript:alert(2)",
+  });
+
+  const location: Location = {} as any;
+  DomWindowHelper.getLocation = <any>(() => location);
+
+  survey.doComplete();
+  assert.equal(location.href, "javascript%3Aalert(2)", "encoded URL");
+});