window.location = window.Server.mapPath('~/TestAdminis/Index?testId=' + testId + '&redirectFromCreateTest=' + true);
What redirection trick could a hacker play if the code above is used?
So, when the page renders, that URL value exists in the DOM. And a hacker could use some tool to insert his own domain and url into that variable.
Do I have that right?
What do I do about it?