In and of itself, no, because you actually do nothing with the user-driven text except run
Splits() on it and no way to use that to inject code.
It's not very good code – you should use it
location.search instead of
location.href.split ("?") For example, you almost never want to use a real string, such as "none", to indicate the absence of a value, especially if the expected type of the value is string (use one of the built-in values, such as
not defined) – but it is not inherently uncertain. Of course, depending on what you have do It could easily become vulnerable to your variables, but it is not.
To avoid adding a vulnerability:
- Under no circumstances use
eval ()on user-influenced data. It is best to avoid it altogether (and its equivalents).
- Do not include user-influenced data in the DOM (for example, using
innerHTML) without first disinfecting it, and if possible, use functions or properties that automatically disinfect the content instead of trying it for yourself.
- Use user-driven data to create URLs (from top-level navigation to image sources) to prevent an attacker from controlling the recipient of the request in a way that causes information to be lost or malicious content to be loaded.