Question Details

No question body available.

Tags

javascript security iframe sanitization

Answers (2)

April 15, 2026 Score: 2 Rep: 139 Quality: Low Completeness: 40%

Instead of regex sanitization, construct the URL safely and encode parameters properly

const authToken =
  sessionStorage.getItem('authtoken') ??
  this.sessionStorage.retrieve('authenticationtoken') ??
  localStorage.getItem('authtoken');
const url = new URL('/api/sso/phoenix/callback', window.location.origin);
url.searchParams.set('token', authToken ?? '');
url.searchParams.set('return_to', '/app/main/home');
iframe.src = url.toString();
April 15, 2026 Score: 0 Rep: 19,411 Quality: Medium Completeness: 80%

Seikh Imran's answer is probably more idiomatic for contemporary JavaScript, but this approach is equally as secure, but a little older: use the encodeURIComponent function.

const authtoken = sessionStorage.getItem('authtoken') || 
                   this.sessionStorage.retrieve('authenticationtoken') || 
                   localStorage.getItem('authtoken');
const loginUrl = /api/sso/phoenix/callback?token=${encodeURIComponent(authtoken)}&returnto=/app/main/home;
var iframe = document.createElement('iframe');
iframe.src = loginUrl;
iframe.style.display = 'none';
document.body.append(iframe);

There is no need to encode the hard-coded URL parameters using this technique; you can plainly see there are no dangerous characters that need escaping.