Fortify SCA reports that the following code is DOM XSS vulnerable: const returnUrl = sessionStorage.getItem(‘returnUrl’) || ‘/’; window.location.href = returnUrl; When a user enters my application by clicking a link for example, and the user is not logged in: The app stores window.location.href into returnUrl item in session storage It sets window.location.href to an external… Read More Why setting window.location.href to local storage item value is considered a DOM XSS vulnerability?