Is it dangerous to display user-input in url

Question

I am using node.js and express4

In my app, users can write posts and give them a title. I will generate an unique ID for each post.

One can then access to a post via the url : domain/posts/ID-of-the-post/title-of-the-post Server-side, after parsing the url, I only use the ID of the post to correctly query my database. I never use the title of the post from the url because I get it safely from my database.

So basically, the url domain/posts/A-valid-ID-of-a-post/ANYTHING points to the page of a post.

My question is: is this dangerous? can some attacker take advantage of this? If yes, how can I protect myself?

Note: I am protected against html injection so my question is only about the URL.

Answer 1

You can use it, in fact I have seen many sites/forums and the stackoverflow itself using this method, for instance look at the current url of a webpage:

stackoverflow.com/questions/25763180/is-it-dangerous-to-display-user-input-in-url

It is not that dangerous, just keep in mind that it is Unsanitized input and treat it accordingly - a potential input attack (actually, do that always!)

Answer 2

It is safe, if you implement some basic security precautions in place.

If your post ID is a numeric value, you could just check if the value is a valid positive number. If yes, continue, otherwise, return an error or show a 404 page.

If your post ID is a string value, there is a chance of SQL injection if your storage is an RDBMS. In such case, the underlying DBMS module should provide a function to escape string values. For instance, node-cubrid, a Node module for CUBRID Database, has _escapeString() helper function.

Once you implement these basic checks and sanitisation, it's safe to put the post ID in the URL.

Answer 3

This is safe but you should consider percent encoding the string.

Certain characters have special meanings to the browser, such as the # character, which is used to lookup an anchor tag for scrolling (in the format <a name="foo"> ) and is also available to JavaScript as the window.location.hash property. Depending on your site and its JavaScript code and if data is read from this property, it could be possible for an attacker to launch a DOM based XSS attack. While allowing the # character in your URL will not affect whether such a vulnerability exists or not, if there is such a vulnerability an attacker might be able to leverage this functionality with another attack by purposely creating a URL containing this character which will enable any dynamically generated links on your site to execute the attack. Without this leverage, the victim would have to follow a link from the attacker instead (e.g. from an email or a forum). Bottom line: It is better to percent encode or remove the # character to be safe.

You should also percent encode (or remove) other special characters, specifically anything outside of the following:

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~:/?#[]@!$&'()*+,;=

as these characters are the only ones valid in a URL according to RFC 3986.

Answer 4

Whether it's dangerous in terms of security I don't know, but you shouldn't do this even if it's safe. Many characters can cause confusion for users (e.g. anything non-visible, homograms), or for robots (#, ?). URLs have specific syntax, and letting users jam any old string in them is not a good design. Sanitize them to only contain e.g. lowercase letters and dashes and numbers, the way many sites (including Stack Overflow) do.