Is it safe to use window.location to query the GET parameters of a page?


I'm doing a peer review and I've found people using to check what paremetes have been sent to a given (search) page.

Is it safe to do so? I was thinking that we could probably print the parameters in the HTML output inside a script block and verify the printed variables instead of querying window.location.

One thing to note about this approach. window.location is set statically on page load and will not detect changes that the user has made to the address bar after that time. This should not be a concern but it is important to know.

Save the following code as an html file and fire it up in a browser:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
<html xmlns="" xml:lang="en" lang="en">
        <a href="javascript:void(0);"
                onclick="alert(window.location);">click me</a>

The "click me" anchor will display the current window location onclick. However if you add anything to the address bar and click the link again it will report the same thing it did the first time.

Hopefully this is not a concern and I cannot imagine that it would affect you in any way but it is good to know.