Summary
While reviewing the NFC payload generation flow in apps/backend/src/routes/nfc.ts, I noticed that dynamic route/query values are directly interpolated into the generated payload URL without URL encoding.
Current implementation:
const payloadUrl = `https://dev-card.vercel.app/${username}${
cardId ? `?card=${cardId}` : ''
}`;Potential Impact
- malformed NFC payload URLs for usernames/card IDs containing reserved URL characters
- inconsistent behavior across NFC readers/scanners
- broken query parsing when special characters are present
- reduced reliability of cross-device NFC sharing flows
Suggested Fix
Use encodeURIComponent() for dynamic route/query parameters before constructing the payload URL.
Example Scenario
If a username or card ID contains reserved URL characters such as:
the generated NFC payload URL may become malformed or produce unintended query parsing behavior.
Example:
username = "john#doe"
cardId = "frontend&design"
Generated URL:
https://dev-card.vercel.app/john#doe?card=frontend&design
Here, # starts a URL fragment and & may be interpreted as a separate query parameter, causing unintended URL parsing behavior.
This can break NFC payload parsing depending on the scanner/browser implementation.
Expected Behavior
Dynamic route and query parameters should be safely URL-encoded before generating the NFC payload URL.
Proposed Improvement
Encode dynamic values using encodeURIComponent() before interpolating them into the payload URL.
Potential implementation:
const safeUsername = encodeURIComponent(username);
const safeCardId = cardId
? encodeURIComponent(cardId)
: '';
const payloadUrl = `https://dev-card.vercel.app/${safeUsername}${
safeCardId ? `?card=${safeCardId}` : ''
}`;
Summary
While reviewing the NFC payload generation flow in
apps/backend/src/routes/nfc.ts, I noticed that dynamic route/query values are directly interpolated into the generated payload URL without URL encoding.Current implementation:
Potential Impact
Suggested Fix
Use
encodeURIComponent()for dynamic route/query parameters before constructing the payload URL.Example Scenario
If a username or card ID contains reserved URL characters such as:
#&?/the generated NFC payload URL may become malformed or produce unintended query parsing behavior.
Example:
Generated URL:
Here,
#starts a URL fragment and&may be interpreted as a separate query parameter, causing unintended URL parsing behavior.This can break NFC payload parsing depending on the scanner/browser implementation.
Expected Behavior
Dynamic route and query parameters should be safely URL-encoded before generating the NFC payload URL.
Proposed Improvement
Encode dynamic values using
encodeURIComponent()before interpolating them into the payload URL.Potential implementation: