views:

49

answers:

1

I have a grid which has a link to next page and I have a button to navigate back to the grid from the current page. Until now I was using this method to navigate back i.e

     <INPUT TYPE="BUTTON" VALUE="Back to Datagrid" onClick="history.go(-1);">

But I faced some issues navigating when I had some other constraints along with that, so I found out something like:

    $exit = $ENV{'HTTP_REFERER'};
    <INPUT TYPE="BUTTON" VALUE="Back to Datagrid" onClick="$exit">

But it's not working. I have no idea why, and what's the difference between these two methods?

+4  A: 

The first method attempts to duplicate the function of the back button.

The second method takes whatever the browser claims is the URI of the previous page, put it in the page without sanitizing it, and attempts to run the URI as if it was JavaScript. This promptly errors because URIs are very rarely valid JavaScript.

The better approach would be to work out the URI you want to go to (presumably based on the data that you used to build the current page with) and create a normal forwards pointing link (<a href...) to it … and let the user use the built in back button in their browser if they want to go back. This approach:

  • Won't fail if JS isn't available
  • Won't fail if their browser doesn't send an optional HTTP header
  • Won't confuse users by making their browser's history work in unexpected ways

I'm not certain, but I suspect there is a risk that someone could craft a URI and put a link on it to your page, including "<script>... in it. A user could then click on that link, get the URI of the page they came from inserted into the page, and introduce you to an XSS attack. (I think this should fail because some of those characters should be URI encoded, but I wouldn't want to risk it — always put in the standard protections against XSS whenever you have data coming from outside your system and back into your page)

David Dorward
Thanks For the information,But can you please let me know if i their's any way to make the second method run or i should go with the first method itself !
SUSH
Umm. You treat it as a URI instead of as JavaScript. Either write a script that uses a URI (instead of assuming a URI *is* a script) or just use a link. Or don't, because you can't trust the referer to be there in the first place.
David Dorward