Best way to safely read query string parameters?

Question

We have a project that generates a code snippet that can be used on various other projects. The purpose of the code is to read two parameters from the query string and assig

Answer 1

Several things you should be doing:

• Strictly whitelist your accepted values, according to type, format, range, etc
• Explicitly blacklist certain characters (even though this is usually bypassable), IF your whitelist cannot be extremely tight.
• Encode the values before output, if youre using Anti-XSS you already know that a simple HtmlEncode is not enough
• Set the src property through the DOM - and not by generating HTML fragment
• Use the dynamic value only as a querystring parameter, and not for arbitrary sites; i.e. hardcode the name of the server, target page, etc.
• Is your site over SSL? If so, using a frame may cause inconsistencies with SSL UI...
• Using named frames in general, can allow Frame Spoofing; if on a secure site, this may be a relevant attack vector (for use with phishing etc.)