In order to have an URL friendly application I’m storing it’s context has a

Question

0

Asked: June 7, 20262026-06-07T11:40:08+00:00 2026-06-07T11:40:08+00:00

In order to have an URL friendly application I’m storing it’s context has a

0

In order to have an URL friendly application I’m storing it’s context has a JSON in URL, which gives something like :

http://mysite.dev/myapppage/target#?context={%22attr1%22%3A{%22target_id-0%22%3A{%22value%22%3A%223%22%2C%22label%22%3A%22Hello%22}}}

Which encode a basic context :

{
"attr1":
    {
    "target_id-0":
        {
        "value": "3",
        "label": "Hello"
        }
    }
}

I’m serializing my object with :

JSON.stringify(context)

I’m deserializing it with :

var hashParamsElements = window.location.toString().split('?');
hashParamsElements.shift(); // we just skip the first part of the url
var hashParams = $.deparam(hashParamsElements.join('?'));
var contextString = hashParams.context;
var context = JSON.parse(contextString);

The context is only stored to read variables, there’s no evaluated code in it. Can someone tell me whether or not it’s XSS safe ?

If there’s a threat : how can I avoid it ?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-07T11:40:10+00:00

Editorial Team

2026-06-07T11:40:10+00:00Added an answer on June 7, 2026 at 11:40 am

A threat of this kind comes from using different methods of decoding JSON, namely eval and new Function. These execute JS code directly and therefore allow non-persistent XSS attacks by putting code in the url (and linking to it).

JSON.parse does not have this issue and is safe against these kind of attacks.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

In order to have an URL friendly application I’m storing it’s context has a

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply