I have a page which redirects to a url from parameters in query string like:
page.html?redirectUrl=index.html
Inside the page i have code like this:
window.localtion.href = redirectUrl;
It is requiements to use redirect url by parameters. The page contains secure sensitive data. Someone can make the url with javascript like:
page.html?redirectUrl=javascript:alert(document.getElementById("password").value)
and secure data can be stolen.
How to prevent bypass javascript code to window.localtion.href?
You might try putting the URL in an anchor element and checking the protocol:
var anchor = document.createElement("a");
anchor.href = redirectUrl;
if(anchor.protocol != "javascript:") {
window.localtion.href = redirectUrl;
}
However, I'm not sure how good the browser support is for this, since MDN lists it as an HTML5 feature.
This seems like it would work as long as you're not redirecting with it:
Javascript:
var field = document.getElementById("redirectUrl");
var newValue = String(field.value);
alert(newValue);
Basically, using the String constructor to "sanitize" the input.
These will probably help more with other cases:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
Overall, I would recommend NOT using Javascript to sanitize input. If you're handling really sensitive or important data you are highly recommended to use a server-side language to validate and sanitize your input.
Related
So it's kind of a dumb question but I'm really wondering how I can make this :
user type www.mydomaine.com/something
page display : something
and it does with anything he type after the domain name
I've no idea how I could do that. I know I can get an info from an URL with jQuery but how can i remove the thing like index.html in the url? My guess would be with the htaccess?
Also, there won't be any other page but this with some design, how can I make sure someone doesn't go anywhere else but on the page that display what he wrote after the domain name?
I hope that's clear, thanks for reading and your answers !
Pierre
When creating an anchor tag and adding an href (or making a URL) I needed the URL to have a protocol (http or https), so I made a validation to add it, and then you can access the parameters of the URL easier.
Also, if you want to remove the / from the pathname you can use a .replace('/', '') when using parser.pathname
For removing index.html from the URL, you can split the path and get only the first element, or the ones you need f.e. parser.pathname.split('/')[0]
var myUrl = "www.mydomaine.com/something"
if (!myUrl.startsWith('http')) myUrl = 'http://' + myUrl;
var parser = document.createElement('a');
parser.href = myUrl;
console.log(parser.pathname);
// Other option
var theUrl = new URL(myUrl);
console.log(theUrl.pathname);
I used this as a reference.
I'm parsing an untrusted URI, but its URI-hood must be honored. I'm trying to protect against javascript: links, but I feel like I need to recurse on it, since you could have:
javascriptjavascript::
and after stripping out all instances of javascript: get back our old friend javascript: once again.
My other concern is analogously-nested unicode entities. For instance, we could have:
"jAvascript:alert('pwnt')"
...but we could also have:
"j&#塁vascript:alert('pwnt')"
...though I seem to be doing it wrong (whereas a successful attacker obviously won't.)
function resolveEntities(uri) {
var s = document.createElement('span')
, nestTally = uri.match(/&/) ? 0 : 1
, limitReached = false;
s.innerHTML = uri;
while (s.textContent.match(/&/)) {
s.innerHTML = s.textContent;
if(nestTally++ >= 5) {
limitReached = true;
break;
}
}
return encodeURI(s.textContent);
}
Didn't you already ask almost the same question before? Anyway, my suggestion remains the same: use a proper HTML sanitizer.
The particular sanitizer I linked to strips javascript: URLs automatically, but you can also set it up to allow only certain whitelisted URL schemes like Thomas suggests. As he notes, this is a good idea, since it's much safer to only allow schemes like http and https which you know to be safe.
(In particular, whether a given obscure URL scheme is safe or not may depend not only on the user's browser, but also on their OS and on what third-party software they may have installed — a lot of programs like to register themselves as handlers for their own URL schemes.)
Rather than specifying what you want to blacklist (e.g. javascript: URIs), it's better to specify what you want to whitelist (e.g. http and https only). What about something like this:
function sanitizeUri(uri) {
if (!uri.match(/^https?:\/\//)) {
uri = "http://" + uri;
}
return uri;
}
I like that the current address is nicely split up into sections in window.location, but I would like to be able to take an arbitrary URL and split it up following the exact same logic. I don't know how window.location handles corner cases and rare scenarios, so I would like to avoid doing this manually if possible. Since the browser is already doing this work on the current address I'm hoping it contains a function that can do it to any address.
If there are any nice cross-browser libraries (perhaps jQuery plugins) out there I'd love to hear about them too.
You could create an a (HTML Anchor Element) element in JavaScript and specify the href attribute. Then you'll be able to call the properties associated with an anchor element, hash, protocol, host, port etc...
https://developer.mozilla.org/en-US/docs/DOM/HTMLAnchorElement
Using the info in Xander's answer I've written a small function that parses an URL and returns an object with the desired information. I thought I'd share it here:
function parse_url(url)
{
var e = document.createElement('a');
e.href = url;
return {
'protocol': e.protocol,
'hostname': e.hostname,
'host': e.host,
'port': e.port,
'pathname': e.pathname,
'search': e.search,
'hash': e.hash
}
}
I am trying to implement what seems to be very simple JavaScript redirection, via the following rudimentary command:
window.location.href = "http://www.somesite.com";
So far so good, it works. I also can do it via the following method:
location.replace("http://www.somesite.com");
No problem here, it works again! The problem comes when I loose the protocol out of the string:
window.location.href = "www.somesite.com";
OR:
location.replace("www.somesite.com");
It just appends the new location to the current url:
www.currentsite.com/www.somesite.com
Of cause, that's not what I want. Is there any way to force the redirect?
One way is to use protocol-relative url like this:
window.location = "//www.somesite.com";
Or
window.location = "//somesite.com";
This way, it would redirect and browser itself will take care of figuring out protocol part eg http or https
Working Example
The protocol is required.
How else would the browser know whether
location.replace("mysite.pl");
was going to a Polish website or a Perl script on the current website?
You could do something like this to add http:// to the URL if it's not already there... although I can't think of a reason for not just including it yourself. Why complicate things?
function redirect(url) {
if(url.substr(4) != "http")
url = "http://" + url;
window.location.href = url;
}
redirect("www.google.com")
Let's say that location.href is http:/domain.com/en/ at the moment.
After a click I want it to be http://domain.com/en/#opened-File.html/1
This way I know what URL I need, so if a user copies and shares this URL I am doing:
$(document).ready(function(){
var info = window.location.hash.match(/^#([^\/]*)\/([^-]*)-(.*)$/),
url="", nivel="", seccion="";
if (info) {
url = info[1];
nivel = info[3];
seccion = info[2];
location.href = url;
}
}
Wich works fine, but my questions are:
is this a good aproach?
is this seo-frendly?
would you do it differently?
this works together with
$('nav a').each(function(){
if(!$(this).hasClass('enlaceAnulado')){
/*Recopilamos*/
var href = $(this).attr('href');
var id = $(this).attr('id');
var parts = id.split("_");
var seccion = parts[0];
var nivel = parseInt(parts[1])+1;
/*Quitamos el enlace*/
$(this).attr('href','javascript:void(0)');
/*Guardamos la información.*/
$(this).data('hrefnot',href);
$(this).data('nivel',nivel);
$(this).data('seccion',seccion);
$(this).addClass('enlaceAnulado');
}
});
So the links where static but i do this to improve user experience and load content via ajax
Search engine indexes your page content as if the url has nothing that follows the hash. Hash navigation is only intended for the browser to maintain a navigation history. You should always make the content you want to be indexed static. Consider this as an answer to all three questions of yours.
is this a good approach?
My first inclination is to think that this is a good job for the server-side (php, python, asp.net, apache rewrite, etc.)
is this seo-frendly?
I would worry about the hash, and instead utilize better Url practices.
would you do it differently?
I would rather have my server parse (mod rewrite, etc) the Url instead of javascript.
I'd like to add the following to Nikita Volkov's answer:
Search crawlers generally don't run JavaScript code (although Google is trying to change that). This means that redirecting the user to a static page using JavaScript, like what you're doing with this:
location.href = url;
...is not going to work.
If you want to make URL's with hash tags more SEO-friendly, you'll have to do it server-side.