request.getParameter returns dirty string - javascript

I have a site which is made by a CMS. When the site is visited as normal and a user search on the site with the URL:
https://test.se/test.html?language=sv&SubjectArea=Ekonomi&identity=programSV,coursesSV,lifeLongLearningCoursesSV&showbutton=false
The JS code:
let test = requester.getParameter("identity")
console.log(test)
// programSV,coursesSV,lifeLongLearningCoursesSV
returns programSV,coursesSV,lifeLongLearningCoursesSV as expected.
But when I visit the site at the exact same URL but I come from an external page JS code above returns this instead: programSV%2CcoursesSV%2ClifeLongLearningCoursesSV
Any suggestions on what could be wrong and how this could be fixed?

Use a URL search params for consistency - it will decode the URL for you regardless of encoded entities
Alternatively use decodeURIComponent
const url1 = new URL(`https://test.se/test.html?language=sv&SubjectArea=Ekonomi&identity=programSV,coursesSV,lifeLongLearningCoursesSV&showbutton=false`)
const url2 = new URL(`https://test.se/test.html?language=sv&SubjectArea=Ekonomi&identity=programSV%2CcoursesSV%2ClifeLongLearningCoursesSV&showbutton=false`)
console.log(url1.searchParams.get("identity"))
console.log(url2.searchParams.get("identity"))
// alternative
console.log(decodeURIComponent(`programSV%2CcoursesSV%2ClifeLongLearningCoursesSV`))
NOTE: decodeURI does nothing for your commas:
decodeURI(requester.getParameter("identity"))
returns programSV%2CcoursesSV%2ClifeLongLearningCoursesSV
however decodeURIComponent does work:
decodeURIComponent(requester.getParameter("identity"))
returns programSV,coursesSV,lifeLongLearningCoursesSV

the commas are being encoded, you have to use decodeURIComponent. Like this: decodeURIComponent(requester.getParameter("identity")). See link for reference: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/decodeURIComponent

Related

how to download file using jquery in asp.net core?

I use this code to download file using jquery.
$('#dwnlod').click(function (ee) {
e.preventDefault();
var currentFile = $('#SlideContainer .actv').css('background-image').replace(/^url|[\(\)]/g, '');
alert(currentFile)
document.location.href = currentFile;
});
However, it always does nothing. the reason for this is when I remove e.preventDefault to read the URL I find it distorted.
it rather than the result from alert >>
"https://localhost:660066/Uploads/5c92f430-4aef-41c8-b201-853597935771.jpg"
it displays in a new browser tab >>
https://localhost:660066/Documents/Index/"https://localhost:660066/Uploads/5c92f430-4aef-41c8-b201-853597935771.jpg"
I don't know if I need extra steps with asp.net core routing !!?
It looks like the issue is that currentFile returns a string that is surrounded by quotes and thus the browser is interpreting it as a relative URL (since the scheme isn't at the beginning of the string). Removing the start and end quotes if they exist should get you the behavior you are looking for.

URL with URL parameters gets concatenated in browsers

I have the following code:
const url = 'https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=' +
encodeURIComponent('https://dev.mysite.com/google_oauth2/') +
'&scope=https://www.googleapis.com/auth/drive.file&client_id=myclientid'
window.open(url, "", "width=700,height=500")
And the super-strange behaviour is that if I clear the browser history and run this code for the first time, it works fine, BUT THEN if I run for the second and subsequent times, the urls gets concatenated and I see
https://dev.mysite.com/google_oauth2/?code=mycode&scope=https://www.googleapis.com/auth/drive.file
instead of
https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=https://dev.mysite.com%2Fgoogle_oauth2%&scope=https://www.googleapis.com/auth/drive.file&client_id=myclientid
Does anyone know why this happens ?
BTW, I am using React.JS, but I don't think it has something to do with this...
Resolved. Was a Google-specific issue
I would suggest you use a more appropriate URL and URLSearchParams for such purpose: https://developer.mozilla.org/en-US/docs/Web/API/URLSearchParams
and https://developer.mozilla.org/en-US/docs/Web/API/URL
So your code would be:
const url = new URL('https://accounts.google.com/o/oauth2/v2/auth')
url.searchParams.append('redirect_uri', 'https://dev.mysite.com/google_oauth2/');
url.searchParams.append('scope', 'https://www.googleapis.com/auth/drive.file');
url.searchParams.append('client_id', 'myclientid');
And url.href would be:
https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=https%3A%2F%2Fdev.mysite.com%2Fgoogle_oauth2%2F&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.file&client_id=myclientid

How to get param values from deeplinks

I open my app with a deeplink
myscheme://?param1=value1&param2=value2
How can I get the value of the parameters? I found different posts that treat this subject but the once I tried works on http links I think, I alwayse get a warning telling me that BlobURL object is not supported yet.
var url = new URL(data);
alert(url.searchParams.get("param1"));
I have tried your example, and it works, with slight adjustment:
let myscheme = 'http://www.example.com/?param1=value1&param2=value2'
var url = new URL(myscheme);
alert(url.searchParams.get("param1"));
More details can be found here.

How to escape absolute URI?

In the script: `http://theip.com/something/index.php
I have the following javascript URI:
var uri = '/something/script.php?=' + someDynamicValue
That I pass to a function "loadHTML(url, div)"
someDynamicValue can contain spaces and other symbols which make JQuery crash with $.load().
So, I try to encode uri:
$('#'+div).load(encodeURIComponent(uri));
And gives
http://theip.com/something/%2Fsomething%2Fscript.php%3Fq%3D?_=1399924421585
That is, duplicating the /something (which should be an absolute URL so it should go to http://ip.com/something/script.php)
Now if I do the following:
$('#'+div).load(encodeURIComponent(uri).replace(/%2F/g,'/'));
I get a "good" url but gives 404 Error:
http://theip.com/something/script.php%3Fq%3D?_=1399923477529
So I guess it is taking script.php%3Fq%3D?_=1399923477529 as a literal script name, maybe.
How can I fix it? (Encode the rest of the URL).
Thanks!
You just need to encode the one part that isn't already properly URI encoded:
var uri = '/something/script.php?foo=' + encodeURIComponent(someDynamicValue)
$('#'+div).load(uri);

prevent using javascript in window.location

I have a page which redirects to a url from parameters in query string like:
page.html?redirectUrl=index.html
Inside the page i have code like this:
window.localtion.href = redirectUrl;
It is requiements to use redirect url by parameters. The page contains secure sensitive data. Someone can make the url with javascript like:
page.html?redirectUrl=javascript:alert(document.getElementById("password").value)
and secure data can be stolen.
How to prevent bypass javascript code to window.localtion.href?
You might try putting the URL in an anchor element and checking the protocol:
var anchor = document.createElement("a");
anchor.href = redirectUrl;
if(anchor.protocol != "javascript:") {
window.localtion.href = redirectUrl;
}
However, I'm not sure how good the browser support is for this, since MDN lists it as an HTML5 feature.
This seems like it would work as long as you're not redirecting with it:
Javascript:
var field = document.getElementById("redirectUrl");
var newValue = String(field.value);
alert(newValue);
Basically, using the String constructor to "sanitize" the input.
These will probably help more with other cases:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
Overall, I would recommend NOT using Javascript to sanitize input. If you're handling really sensitive or important data you are highly recommended to use a server-side language to validate and sanitize your input.

Categories