stackoom
  简体   繁体   中英

Add email to URL as parameter - security issue? Javascript solution?

 原文  2018-02-26 15:56:32       javascript/ forms/ email

Question

I've the following issue and would require a second opinion.

A user signs up via a form for a digital service (several input fields). Only one field can be filled out later, but it is required within several days (fieldName: apple).

I'd like to make it as easy as possible for the user to submit this information. Therefore he gets a reminder email after several days with a link to a form "getApple", where he can put the value for "apple" in.

I need to identify this user with a userID, in this case the email address. Is there a way to attach the user email address as a parameter in the URL to prefill my form "getApple"?

2 answers

solution1
 1  2018-02-26 16:21:02

Yes, just create the link with one of the query parameters to be something like ?email=myemail@example.com Make sure you at least URL encode the email so it doesn't break anything.

Then javascript can use URLSearchParams to pull the value out, deserialize it, and place it into a form field (hidden if you don't want them changing it, visible if it's okay if they change it). When they submit, viola! the email comes across as well.

Things to consider from a security perspective! Make sure you sanitize the value passed through the URL, this is an avenue for XSS attacks so make sure you cover yourself on that front. And as always, resanitize all the values on the server to avoid SQL injection and all the other nasties hackers may try. While you can use this method for passing email address or other innocuous information, DO NOT use this method to pass log in credentials or other authenticating information.

If you're really paranoid about keeping your users activity secret and safe from any spying (since their email would be recoverable to anyone who can see the url, ie listeners, accidental url forwards, etc.) you can encrypt their email with a secret kept on the server to pass through the URL like above, then the form would send the encrypted email, and the server would decrypt with its secret. This is probably unnecessary for most applications.

solution2
 -1  2018-02-26 16:01:55

You can try to encode an email address and send it in the link. And then decode the same method on your server.

ps. For example try use md5.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Javascript add parameter to url Add parameter to URL with Javascript Javascript: Add a parameter after an URL How to add parameter to url in javascript? Javascript Add Current Domain Name to URL Parameter How to add parameter to image url with JavaScript Jquery / Javascript Solution for URL matches Href then add a Class Modify URL and add parameter in between the URL using javascript JavaScript security issue API issue | URL with parameter
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM