Is building part of an href on a webpage from URL parameters a security risk?

I’ve written some code and have a feeling there’s a security issue with it, but I can’t figure out what it is.

Is there a security risk in including URL parameters directly into part of a link on a webpage?


  • User visits
  • JS reads the URL, and retrieves part of it, in this case guid
  • JS builds a URL using that data
  • That new URL is added to the page (Adding the URL to the page is escaped, so injecting JS shouldn’t be a problem, in theory)

Is there any way that displaying or clicking on<any plain text here> could be a security flaw?