Is using document.write to display window.location.search insecure/vulnerable to xss?

Question

I have a page where I want to simply pass the querystring to another page. There is no server-side programming available, only HTML for this particular client (I can only use javascript/jquery). They have a process where they want to pass a couple parameters to a pricing page, like so:

http://www.mydomain.com/pricing.html?affiliate=123&store=345

On the pricing page, all I want to do is collect the full querystring (?affiliate=123&store=345) and pass it along to the application page:

http://www.mydomain.com/application.html?affiliate=123&store=345

If I use the following javascript for the link on the pricing page to pass them to the application page, am I introducing any kind of cross-site scripting or other vulnerabilities?

<script type="text/javascript">document.write('<a href="http://www.mydomain.com/application.html'+location.search+'">Apply Now</a>');</script>

Answer 1

Yes, you are vulnerable to XSS.

$("<a>").attr("href", 'http://www.mydomain.com/application.html'+location.search).text("Apply now").appendTo(document.body)

Answer 2

Short answer, you aren't introducing any vulnerabilities that don't already exist (since you're already passing that information via the query string to the pricing page).

Longer answer, it depends on what you do with the information in the application.html page. If you're allowing the variables passed in the query string to change state or access protected information on the server, or feeding them into e.g. a SQL query without validation, then yes, you are introducing vulnerabilities. But that won't change merely by using a different method to pass the parameters (i.e. POST) - it's a characteristic of how you validate and use the data after you get it.