Forum: Ruby on Rails safe html links

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Josh R. (Guest)
on 2006-03-01 05:05
(Received via mailing list)
Hi,

I'm working on a web app that allows users to submit links to external
sites.  I'm curious if there are any special security considerations I
should take aside from escaping the user input with h( )?  Is it safe to
directly link_to h(user_inputted_url), h(user_inputted_url) or could
that be
exploited in a way that I'm not thinking of.  Thanks.
Charlie B. (Guest)
on 2006-03-01 15:25
(Received via mailing list)
I'm also very curious about this question.

On Tue, 2006-02-28 at 21:05 -0600, Josh R. wrote:

> removed_email_address@domain.invalid
> http://lists.rubyonrails.org/mailman/listinfo/rails

Charlie B.
http://www.recentrambles.com
Jeff J. (Guest)
on 2006-03-01 16:51
Charlie B. wrote:
> I'm also very curious about this question.
>
> On Tue, 2006-02-28 at 21:05 -0600, Josh R. wrote:
>
>> removed_email_address@domain.invalid
>> http://lists.rubyonrails.org/mailman/listinfo/rails
>
> Charlie B.
> http://www.recentrambles.com

Just with experience with Phishing I would disallow the use of "@"
characters in URLs since they are usually used in user/password on
website tricks like

http://www.ebay.com:removed_email_address@domain.invalid

Probably wouldn't be as effective as a phishing method on a website but
you never know.
This topic is locked and can not be replied to.