Append query string parameters to form.action or a.href using Javascript?

Question

I have an HTML page which is accepting any number of query string parameters, which I need to pass on to the next page the user visits by clicking links on my page. Basically, if the user comes to

http://example.com/some/page.html?param1=123&param2=567&smthelse=abcde 

Most of these query string parameters have tracking nature. I need to make sure that when the user clicks on certain links on this page or submits certain POST forms, all these query strings are passed along to the subsequent page.

If possible I am looking to avoid whitelisting/blacklisting query string parameters which should be allowed to be passed to the next page, as it is a lot of maintenance. Instead, I am planning to use jQuery/Javascript to dynamically read all query strings, and update anchors' href attributes and forms' action attributes to append the entire window.location.search value to these URLs.

Example (jsbin):

$(document).ready(function() { var pageQsParams = window.location.search.split('?')[1] || ''; var newLinkUrl = $('.link').attr('href') + (pageQsParams ? '?' + pageQsParams : ''); $('.link').attr('href', newLinkUrl); var newFormUrl = $('#form').attr('action') + (pageQsParams ? '?' + pageQsParams : ''); $('#form').attr('action', newFormUrl); }); 

is this code vulnerable to XSS or phishing? Any other security vulnerability? Any better way to do it?

Answer 1

This code is safe.

jQuery.attr isn't escapable via special characters, since it uses a setAttribute internally.

Since you set the href / action attributes, you must also check that the URL can't be manipulated by an attacker.

Since you prepend ? to the query string, it will start the query string part in the final URL, and prevent any path/host manipulation, as long as the previous URLs were well-formed, and used a http or https scheme.

If the previous URLs used the javascript scheme, then a XSS vector would have been possible.