Riley Lark
Reputation: 20890
Does specifying "http://" or "https://" eliminate risk of attacks in user-input links?
I want to allow users to make links in my web app that other users can see. I don't want them to be able to run any javascript or xss or anything, of course. Does a simple "http://" at the beginning eliminate those problems? That is, if an href starts with "http://", can I let my users click it without worrying too much?
Upvotes: 0
Views: 72
Answers (1)
mfontanini
Reputation: 21900
As long as you escape html tags and quotes in the links they post, there won't be any problem.
Obviously, if a site contains a reflected xss, such as http://example.com/?x=<script>...</script> and such a link is posted, you can't avoid the xss if the page they're redirected to is xss vulnerable.
Upvotes: 2
Related Questions
- Allow users to post url schemes other than http/https?
- Using <input type="url"> to handle both HTTP and HTTPS
- What's the difference between // and http or https
- Converting http to https; is it a must in order to be secured?
- What's the advantage of protocol-less urls over https by default?
- URLs and https?
- Website external link: HTTP vs HTTPS?
- mixing http and https
- Is an html link relative only if the value begins with http?
- which web path is secure https to http or the opposite?