1

I created a form that displays the results in another html page but the @ sign is displayed as %40 in the new page. This is my code below. Can someone help out?

<script type="text/javascript">
window.onload = function () {
    var url = document.location.href,
        params = url.split('?')[1].split('&'),
        data = {}, tmp;
    for (var i = 0, l = params.length; i < l; i++) {
         tmp = params[i].split('=');
         data[tmp[0]] = tmp[1];
    }
    document.getElementById('email-display').innerHTML = data.Email;

}
</script>
Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
Coke Boi
  • 11
  • 1
  • 2
  • You need to URL-decode the value. – SLaks Jun 02 '16 at 15:52
  • **1.** You need to URL decode the parameters. **2.** Your use of `innerHTML` for unfiltered user submitted values is an XSS vulnerability. Consider using `textContent` instead. – Alexander O'Mara Jun 02 '16 at 15:53
  • 1
    Why are you handling this with client-side scripting instead of doing server-side? When the HTML form is submitted, the server could easily decode the URL parameters and return a new HTML page that has the email field pre-populated. – Remy Lebeau Jun 02 '16 at 16:07
  • Possible duplicate of [How can I get query string values in JavaScript?](http://stackoverflow.com/questions/901115/how-can-i-get-query-string-values-in-javascript) – Remy Lebeau Jun 02 '16 at 22:02

1 Answers1

0

The URL query component is encoded. You are not fully decoding it. %40 is the encoded form of @. Technically, @ is not required to be encoded in the query component, but your server is doing so.

After you split the query data on & and =, you need to decode the resulting substrings by replacing the %XX hex sequences with the corresponding bytes, and then converting the resulting bytes to string characters based on whatever charset your server uses (usually utf-8, but not always).

Read RFC 3986, in particular Section 2.1 and Section 3.4.

Community
  • 1
  • 1
Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • I really didn't get a think.. I am lost. Can you please explain more or you can please help correct the javascript. I am not really good with javascript – Coke Boi Jun 02 '16 at 21:51
  • See [How can I get query string values in JavaScript?](http://stackoverflow.com/questions/901115/) and [JavaScript URL Decode function](http://stackoverflow.com/questions/4292914/). – Remy Lebeau Jun 02 '16 at 22:01