跟踪 link 使用 & 符号且没有前端的点击 javascript

Track a link click with ampersand and without front-end javascript

我在我的 NodeJS 应用程序中向外部网站提供 links。这些需要花费大量精力才能找到,我想跟踪点击次数。我更喜欢避免使用前端 JavaScript,因为我在浏览器中禁用了它。到目前为止,我一直在使用查询参数,例如:

router.get('/redir', async (req, res) => {
  let url = req.params.url;
  // my own tracking logic
  // ...
  res.redirect(url);
});

对于已经包含 GET 参数、问号和符号的 link,此代码失败。我试过这个:

router.get('/redir/:url', async (req, res) => {
  let url = req.params.url;
  res.redirect(url);
});

甚至连路由都没有调用。

如何跟踪已包含 ?&?

的 link 次点击

感谢评论,这是一种方法:

router.get('/redir', async (req, res) => {
  let url = req.originalUrl.replace("/redir?url=", "");
  // logic: verify that this redirect is authorized to avoid Open Redirect and phishing.
  if (authorizedUrls.includes(url)) {
    return res.redirect(url);
  }
  return res.redirect("/404");
});

您应该检查 URL 是否被授权以避免 Open Redirect, a highly dangerous way of phishing listed as Common Weakness Enumeration 601:

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. Extended Description An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

来源:https://serverfault.com/questions/1049139/name-and-severity-of-this-type-of-redirect-fraud/1049141#1049141.