2

I'm looking for a way to store a few javascript variables in my URL's hash. My aim is to allow users to restore a particular state of a web application using a bookmark.

It occurred to me that one approach might use JSON serialization. I.e., I'd store my variables like this

var params = { var1: window.val1, var2: window.val2 }
window.location.hash = JSON.stringify(params)

and recover them like this

var paramStr = window.location.hash.substring(1) // substring removes the initial "#"
var params = JSON.parse(paramStr)
window.var1 = params.var1
window.var2 = params.var2

This seems like the simplest and most concise technique for doing what I want. It's easy for me to understand, and it uses fewer lines of code, than, for example, this popular SO suggestion. However, it also feels insecure. A malicious user would be able to write arbitrary code into the url, and my app would execute it. This seems dangerous, but I'm pretty new to web programming and so I don't know how big a deal this is.

Is the technique I've outlined above for storing variables in window.location.hash safe to use? If not, why not? What's the worst that could happen?

Community
  • 1
  • 1
dB'
  • 7,838
  • 15
  • 58
  • 101
  • The question is: can a "malicious user" cause *others* to inadvertently perform an action? A malicious person doing malicious things to himself/herself is - moral beliefs aside - fine. –  Jan 13 '13 at 22:41
  • Your main issue is that you are building invalid urls. The hash doesn't accept characters such as double quotes and curly braces, which are obviously a big part of JSON. – Christophe Jan 25 '13 at 17:35

3 Answers3

5

Yes, it is safe to parse arbitrary data. A JSON parser does not execute any code that does something different from defining an Object/Array/String/Number. Native ones don't even use eval at all (and non-native ones validate the JSON data before using eval).

It is also safe to assign it to predefined (global) variables assuming your code doesn't do "bad" stuff with those variables.

However, it's not necessarily safe to assign it to arbitrary global variables. While JSON can't contain functions you don't want anyone to be able to overwrite any globals.

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
  • Exactly. In particular, in order to use JSON to serialize specific user "classes", you have to pass in a `reviver`, which you control. This differs from other languages where special forms of keys can trigger arbitrary code – Jim Deville Jan 13 '13 at 22:07
4

malicious user would be able to write arbitrary code into the url [...] Is the technique [...] safe to use?

It's safe. One of the advantages of JSON.parse() over old eval() approach is that it's safe and won't run arbitrary code.

A separate question is: is it a good idea to put JSON in hash? I would go for more concise representation.

Tomasz Nurkiewicz
  • 334,321
  • 69
  • 703
  • 674
0

Lesson number one is that all user input should never be trusted.

Always validate everything. In the case of your app, if it is offline-only then it really doesn't matter what the malicious user types since it will only affect their own computer.

If it involves server-side activity, then you should check to make sure that the input you received makes sense. For instance, if the user is trying to access a saved file, does the user have permission to view it?

There is no security in obscurity, so JSON in the hash is just as secure as some complex encryption method.

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592