This is my code where i have a userId in a method SwitchUser_Click. I need to prevent or somehow encode the return value from the switchUser_Click as it includes the UserId of a user vulnerable to XSS attack or redirects.
function SwitchUser_Click(containerElement, OnSuccess) {
var selecteduserId = $("select", containerElement).val();
var makeDefault = $(":checkbox", containerElement).is(":checked");
window.location = "Default.aspx?uId=" + selecteduserId + "&userActive=" + (makeDefault ? "1" : "0");
OnSuccess();
}
The belows code is called from aspx page by using Client.RegisterScript and passing the parameters. This is the only place SwitchUser_Click method is used.
function OpenSwitchUser(UserId,modCode,defUrl) {
defaultUrl = defUrl;
var options =
{
controlUrl: "~/Controls/SwitchUserDialog.ascx",
params: { uid:UserId, mod: modCode},
top: 70,
width: 600,
height: 2500,
OKCallback: SwitchUser_Click,
InitCallback: SwitchUserDialog_Init,
cancelCallback: SwitchUser_Close
};
$.showControlDialog(options);
}
My aspx.cs page here is the problem i need to find a better approach to this part
var parameterUserId = Request.QueryString["uId"]; //problem need a better appoach
I want to know how to encode my userId in the SwitchUser_Click method and decode it when its called. Or maybe there is some other way to do this . Thank you