I’ve written some code and have a feeling there’s a security issue with it, but I can’t figure out what it is.
Is there a security risk in including URL parameters directly into part of a link on a webpage?
- User visits
- JS reads the URL, and retrieves part of it, in this case
- JS builds a URL using that data
- That new URL is added to the page (Adding the URL to the page is escaped, so injecting JS shouldn’t be a problem, in theory)
Is there any way that displaying or clicking on
https://www.example.com/2/<any plain text here> could be a security flaw?