How to prevent XSS attack on selected window.location in javascript

Question

This is my code where i have a userId in a method SwitchUser_Click. I need to prevent or somehow encode the return value from the switchUser_Click as it includes the UserId of a user vulnerable to XSS attack or redirects.

function SwitchUser_Click(containerElement, OnSuccess) {
            var selecteduserId = $("select", containerElement).val();
            var makeDefault = $(":checkbox", containerElement).is(":checked");
            window.location = "Default.aspx?uId=" + selecteduserId + "&userActive=" + (makeDefault ? "1" : "0");
            OnSuccess();
        }

The belows code is called from aspx page by using Client.RegisterScript and passing the parameters. This is the only place SwitchUser_Click method is used.

function OpenSwitchUser(UserId,modCode,defUrl) {
            defaultUrl = defUrl;
            var options =
            {
                controlUrl: "~/Controls/SwitchUserDialog.ascx",
                params: { uid:UserId, mod: modCode},
                top: 70,
                width: 600,
                height: 2500,
                OKCallback: SwitchUser_Click,
                InitCallback: SwitchUserDialog_Init,
                cancelCallback: SwitchUser_Close
            };
            $.showControlDialog(options);
        }

My aspx.cs page here is the problem i need to find a better approach to this part

var parameterUserId = Request.QueryString["uId"]; //problem need a better appoach

I want to know how to encode my userId in the SwitchUser_Click method and decode it when its called. Or maybe there is some other way to do this . Thank you

Answer 1

Create the URL using the JavaScript URL API.

dest = new URL("Default.aspx", window.location);
dest.searchParams.append("uId", selecteduserId);
window.location = dest.href;

This provides a higher-level API, and it correctly encodes everything for you.