So was going through some legacy code to fix some security issues. One of them was there were links that were passing the data on url request. e.g NewFile.aspx?uid=1234

Rather than storing data in a session sometimes developers use shortcuts to do this, could be due to the pressure or time limit we have in shipping a product.

Aside from that lets see how we can fix this issue, what we want to accomplish is to post some data without calling server code and we can achieve that by some tricks in javascript.

Lets say you have a link that will say <a onclick=”javascript:NewFile()”>New File</a>
(Note I know this is not good again its legacy code)

?View Code JAVASCRIPT
1
2
3
4
   function NewFile()
   {
       window.open("NewFile.aspx?uid=1234", "", "width=800,height=600,left=100,top=100,resizable=yes,scrollbars=yes");
    }

Now we want to make a post request to the window and pass in the data.
Here is how we do it, I created a blank html page first and used this javascript.

?View Code JAVASCRIPT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
   function OpenWindowWithPost(url, windowoption, name, params)
   {
            var form = document.createElement("form");
            form.setAttribute("method", "post");
            form.setAttribute("action", url);
            form.setAttribute("target", name);
 
            for (var i in params) {
                if (params.hasOwnProperty(i)) {
                    var input = document.createElement('input');
                    input.type = 'hidden';
                    input.name = i;
                    input.value = params[i];
                    form.appendChild(input);
                }
            }
 
            document.body.appendChild(form);
 
            //note I am using a post.htm page since I did not want to make double request to the page 
           //it might have some Page_Load call which might screw things up.
            window.open("post.htm", name, windowoption);
 
            form.submit();
 
            document.body.removeChild(form);
    }
 
   function NewFile()
   {
       var param = { 'uid' : '1234'};		    		
      OpenWindowWithPost("NewFile.aspx", 
      "width=730,height=345,left=100,top=100,resizable=yes,scrollbars=yes", 
      "NewFile", param);		
    }

By doing so we can pass in the data to the NewFile.aspx page with a post request now, also note if you are using Request.QueryString['uid'] in the NewFile.aspx page you will need to change it to Request['uid']

Hope this helps :)