I'm modifying an .aspx page that uses some javascript to download a file based on the value attribute in this tag:
<input type="hidden" id="launchDocument" value="pdf/<%=Settings.LaunchDocument%>" >
That value is currently hard-coded into the Web.config file. The client wants this page to now be a download page for their archived newsletters. My thoughts were to have the page pull in the filename from the query string so the sending page could define what file is being downloaded:
<input type="hidden" id="launchDocument" value="../pdf/<%=Request.QueryString["filename"]%>" />
But, I'm concerned whether there is any security risk to this method. If there is, what are the best practices for checking the query string's value to make sure it's a valid .pdf filename before adding it to the page?
Thanks in advance for any help!
Use the forum search and you find this: