Can JSON encoding in a URL pose a risk of XSS attacks?

To ensure my application has URL-friendly capabilities, I am storing its context as a JSON within the URL. This results in something like: 

http://mysite.dev/myapppage/target#?context={%22attr1%22%3A{%22target_id-0%22%3A{%22value%22%3A%223%22%2C%22label%22%3A%22Hello%22}}}

This encodes a simple context:

{
"attr1":
    {
    "target_id-0":
        {
        "value": "3",
        "label": "Hello"
        }
    }
}

I serialize my object using:

JSON.stringify(context)

And deserialize it using:

var hashParamsElements = window.location.toString().split('?');
hashParamsElements.shift(); // we skip the first part of the URL
var hashParams = $.deparam(hashParamsElements.join('?'));
var contextString = hashParams.context;
var context = JSON.parse(contextString);

The context is only stored to read variables; there is no executed code within it. Is this method XSS safe?

If there is a threat, how can I mitigate it?

javascriptjsonsecurityxssurlencode

Answer â„–1

A potential threat arises when utilizing various decoding methods for JSON, specifically eval and new Function. These functions execute JavaScript code directly, opening the door to non-persistent XSS attacks through inserting code in URLs (and linking to it).

JSON.parse, on the other hand, does not pose this vulnerability and is protected against these types of attacks.

For more information, visit json.org.

Answer â„–2

Is the label variable ultimately incorporated into the Document Object Model (DOM)? For example, would 

$('#something').html(context.attr1.target_id-0.label)
result in its insertion?

Subsequently, injecting a <script>...</script> tag within the label could potentially lead to a cross-site scripting (XSS) vulnerability.

Answer â„–3

In my opinion, there is no danger present. It is entirely secure. The function JSON.parse does not permit any other functions to execute.

Furthermore, what is the purpose of using a question mark ?? If you wish to create a more authentic URL experience, consider utilizing hashbang instead.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Displaying iframes in AngularJS using a service

I am currently developing an Angular app and encountering some difficulties with rendering a Soundcloud embed iframe in my HTML. The issue arises when I try to display the tracks stored in the array generated by my getTracks function. Despite successfully ...

javascriptangularjssoundcloud

What is the best method to trigger a bootstrap modal window from a separate component in Angular 8?

I have successfully implemented a bootstrap modal window that opens on a button click. However, I am now facing difficulty in opening the same modal window from a different component. Below is the code I have tried: <section> <button type=&quo ...

javascriptangulartypescriptbootstrap-4modal-dialog

Utilize JSON Parsing in Inno Setup Using a JSON Parser

For my Inno setup project, I encountered an issue when trying to parse JSON using a dll function. After days of troubleshooting an access violation error, I decided to explore parsing JSON directly within the Inno Setup. I am interested in utilizing the Js ...

jsoninno-setuppascal

Steps to trigger an alert when the entered quantity exceeds the current stock levels

After developing an IMS System, I encountered a problem where my stock is going into negative figures. To resolve this issue, my primary goal is to trigger an alert whenever the quantity entered by a user exceeds the available stock. For example, if a us ...

javascriptphphtmlmysql

Retrieving the value of a specific <link> in XML using Javascript

I am utilizing Ajax/jQuery to fetch content from an RSS feed, but I'm encountering difficulties in retrieving the content of an XML node named 'link'. Below is a simplified version of the XML: <?xml version="1.0" encoding="UTF-8"?> ...

javascriptjqueryajaxxmlrss

An error has occurred: String cannot have property 'innerText' created

I'm encountering an issue while attempting to dynamically add posts to my post div. The problem arises when I try to include image URLs in the process. Switching from innerText to innerHTML did not resolve the issue, and the array I added is also not ...

javascriptarraysdom

Having trouble implementing render props for a toggle button that reveals/hides child components

My goal is to display or hide a couple of child components based on a toggle click using the original HTML structure provided. However, I am encountering an issue where the EditToggle link needs to be displayed next to the h2 element inside the "subtitle-c ...

javascripthtmlreactjs

perform an action in PHP when a button is clicked

I'm currently developing a PHP admin panel that displays a list of users in an HTML table format. Each row in the table includes a button that allows the admin to send a notification to the selected user. Below is the code I used to create and displa ...

javascriptphphtmlajax

Implementing conditional statements using jQuery for multiple selections

Having two unique IDs, I am planning to set a condition that corresponds with my query. $("#foo", "#bar").foo.bar({ baz: function() { if(selector == "#foo") { console.log("foo"); } else { console.log("bar"); } } }); ...

javascriptjquery

Can one effectively retrieve data from Android SQLite database by querying JSON information?

Can Android SQLite databases be queried for JSON data, similar to how XML data can be stored and queried in sql-server using xpath? Is it possible to do something like this with sqlite? ...

androidjsonxpath

Developing an all-encompassing fetcher with Alamofire for handling both JSON and HTML

I am embarking on a web scraping project and have already set up the necessary tools for handling JSON (SwiftyJSON) and raw HTML (hpple) across various platforms. The challenge I am facing is creating a generic class for content and a fetcher class for ret ...

jsonswiftalamofire

The Jsoup function for sending data does not yield any results

Can someone assist me with sending data to a form in this format? <form id="money" action="" method="post"> <input id="user" type="text" placeholder="Username" maxlenght="10" name="user"></input> <div class="select"> <select id= ...

javascriptjqueryhtmlajaxjsoup

Constructor not executing when using Object.create

Attempting to instantiate a class within a static method, I am using Object.create(this.prototype), which appears to be functioning correctly. Nonetheless, when I check the console, my property items is showing as undefined. The base class called model lo ...

javascripttypescript

Personalize the appearance of your stackLabels in Highcharts with dynamic customization options

I recently created a bar graph using Highcharts. You can check it out here: http://jsfiddle.net/v1rbz41q/3/ Here's the code snippet I used: chartw.yAxis [0] .options.stackLabels.formatter = function () {              return "werfdc";   ...

javascripthighcharts

Allow the javascript callback function to complete before proceeding

Utilizing the Google Storage API, I am saving a file in a GCP bucket within an asynchronous function. My objective is to wait until I receive an error or success callback before proceeding with the subsequent lines of code. However, I am encountering the i ...

javascriptnode.jsasync-awaitgoogle-api

Can a table with a checkered pattern be created in Ember.js with just Handlebars and ember-composable-helpers?

I'm new to working with Ember.js and I am attempting to create a simple checkered table. In my project, I am utilizing Bootstrap 4, ember-composable-helpers, and Handlebars. Is there anyone who can guide me on achieving this goal WITHOUT the use of ja ...

javascriptember.jsbootstrap-4handlebars.jsfrontend

Using Three.js WebGL to create a custom circle with unique fill and border colors generated from a shader

Currently, I am utilizing Three.js alongside the WebGLRenderer. I am exploring ways or searching for an example on how to create circles using CircleGeometry and have the ability to manipulate their fill and border color through a vertex or fragment shad ...

javascriptthree.jswebgl

My Ajax request is hitting a snag - the success function isn't functioning as expected

Having an issue with the success function in my ajax call. It doesn't seem to be working as expected. Check out the code snippet below: var data1 = { "name": namedata[0], "email": namedata[1], "mobile": namedata[2], "company": namedata[3], "message" ...

javascriptjqueryhtmlajaxforms

Tips for emphasizing a specific field in search results with Solr

I am looking to add a highlighting feature to my search application using Solr. After making the necessary changes in the config file for highlighting, I ran the URL with hl=true&hl.fl=somefield and received the <highlighting> tags. Now, I want t ...

jsonsolrhighlighting

Is there a way to seamlessly update a field without refreshing the page or overloading the server?

I'm intrigued by the concept of updating a field dynamically without refreshing the page or overwhelming the server with queries. Stackoverflow demonstrates this feature when someone answers our question, and it instantly shows at the top of the page. ...

javascriptphpjqueryajax