I want to create a webpage which redirects a user if some cookies are previously set by my webpage. Like this: (I am using a jquery cookie plugin)
// get cookies
var email = $.cookie("email_addr");
var postcode = $.cookie("post_code");
if(email != undefined && postcode != undefined) {
// insert cookies into redirect url
var redirect =
"https://docs.google.com/forms/d/1BofVyLFj9-Y2RQ8LxZuaptS071yHDqW4cdZhvvqTNz8/viewform?entry.139029761=" + email +
"&entry.1727046863=" + postcode;
console.log(redirect);
}
(URL character replacement omitted for readability)
Can I assume the cookies are safe, and are cannot be modified by anyone but the user and the application, so xss attacks are not possible, or do I need to validate them anyway?
I will validate the cookies when they are set, my question is if I can trust my own cookies.
You should always validate data provided by user and assume that it could be modified. It can be even modified not by a third party, but by a malicious user or by someone who has access to legitimate user's browser. You should also protect cookies that contain user personal data (email, password, address, etc.) from XSS. A good way would be using HttpOnly flag. A better way is to encrypt cookies, so only your application knows their content. This would prevent cookies content from direct access as well.
Important As @Eda190 stated in comments to the following answer, you should not protect only cookies from XSS, but your application in general. Here is a good cheat sheet.