Best way to safely read query string parameters?

Question

Hello all,

We have a project that generates a code snippet that can be used on various other projects. The purpose of the code is to read two parameters from the query string and assign them to the "src" attribute of an iframe.

For example, the page at the URL http://oursite/Page.aspx?a=1&amp;b=2 would have JavaScript in it to read the "a" and "b" parameters. The JavaScript would then set the "src" attribute of an iframe based on those parameters. For example, "<iframe src="http://someothersite/Page.aspx?a=1&amp;b=2" />"

We're currently doing this with server-side code that uses Microsoft's Anti Cross-Scripting library to check the parameters. However, a new requirement has come stating that we need to use JavaScript, and that it can't use any third-party JavaScript tools (such as jQuery or Prototype).

One way I know of is to replace any instances of "<", single quote, and double quote from the parameters before using them, but that doesn't seem secure enough to me.

One of the parameters is always a "P" followed by 9 integers. The other parameter is always 15 alpha-numeric characters. (Thanks Liam for suggesting I make that clear).

Does anybody have any suggestions for us?

Thank you very much for your time.

Answer 1

Using a whitelist-approach would be better I guess. Avoid only stripping out "bad" things. Strip out anything except for what you think is "safe".

Also I'd strongly encourage to do a HTMLEncode the Parameters. There should be plenty of Javascript functions that can this.

Answer 2

you can use javascript's escape() and unescape() functions.

Answer 3

Several things you should be doing:

• Strictly whitelist your accepted values, according to type, format, range, etc
• Explicitly blacklist certain characters (even though this is usually bypassable), IF your whitelist cannot be extremely tight.
• Encode the values before output, if youre using Anti-XSS you already know that a simple HtmlEncode is not enough
• Set the src property through the DOM - and not by generating HTML fragment
• Use the dynamic value only as a querystring parameter, and not for arbitrary sites; i.e. hardcode the name of the server, target page, etc.
• Is your site over SSL? If so, using a frame may cause inconsistencies with SSL UI...
• Using named frames in general, can allow Frame Spoofing; if on a secure site, this may be a relevant attack vector (for use with phishing etc.)

Answer 4

Don't use escape and unescape, use decodeURIComponent. E.g.

function queryParameters(query) {
  var keyValuePairs = query.split(/[&?]/g);
  var params = {};
  for (var i = 0, n = keyValuePairs.length; i < n; ++i) {
    var m = keyValuePairs[i].match(/^([^=]+)(?:=([\s\S]*))?/);
    if (m) {
      var key = decodeURIComponent(m[1]);
      (params[key] || (params[key] = [])).push(decodeURIComponent(m[2]));
    }
  }
  return params;
}

and pass in document.location.search.

As far as turning < into &lt;, that is sufficient to make sure that the content can be safely injected into HTML without allowing script to run. Make sure you escape the following <, >, &, and ".

It will not guarantee that the parameters were not spoofed. If you need to verify that one of your servers generated the URL, do a search on URL signing.

Answer 5

You can use regular expressions to validate that you have a P followed by 9 integers and that you have 15 alphanumeric values. I think that book that I have at my desk of RegEx has some examples in JavaScript to help you.

Limiting the charset to only ASCII values will help, and follow all the advice above (whitelist, set src through DOM, etc.)