DOM-Based cross-site scripting on window.location.pathname


A scan with Burp has identified a DOM-Based cross-site scripting vulnerability.

The only script with a sink is the following.

Do you think it’s a false positive? (Can I make it more secure in some way?)

var sPageURL = window.location.pathname; var urlParts = sPageURL.split('/'); var page = urlParts[urlParts.length - 1];  var elem = $  ("a[href!=\#]").filter(function () {     //console.log(this.href + ' ' + this.href.toLowerCase().indexOf(page.toLowerCase()));     return ((this.href.toLowerCase().indexOf(page.toLowerCase()) > 0) && (this.href.indexOf('#') < 0)); });