Is this JavaScript code vulnerable to DOM-based XSS?

In and of itself, no, because you actually do nothing with the user-driven text except run Splits() on it and no way to use that to inject code.

It's not very good code – you should use it location.search instead of location.href.split ("?")[1] For example, you almost never want to use a real string, such as "none", to indicate the absence of a value, especially if the expected type of the value is string (use one of the built-in values, such as zero or not defined) – but it is not inherently uncertain. Of course, depending on what you have do It could easily become vulnerable to your variables, but it is not.

To avoid adding a vulnerability:

  • Under no circumstances use eval () on user-influenced data. It is best to avoid it altogether (and its equivalents).
  • Do not use user-controlled data as an identifier for JavaScript objects, especially if the user has some control over the value assigned to a property or passed to a function.
  • Do not include user-influenced data in the DOM (for example, using innerHTML) without first disinfecting it, and if possible, use functions or properties that automatically disinfect the content instead of trying it for yourself.
  • Use user-driven data to create URLs (from top-level navigation to image sources) to prevent an attacker from controlling the recipient of the request in a way that causes information to be lost or malicious content to be loaded.