Hi, I'm working on a web app that allows users to submit links to external sites. I'm curious if there are any special security considerations I should take aside from escaping the user input with h( )? Is it safe to directly link_to h(user_inputted_url), h(user_inputted_url) or could that be exploited in a way that I'm not thinking of. Thanks.
on 2006-03-01 05:05
on 2006-03-01 15:25
I'm also very curious about this question. On Tue, 2006-02-28 at 21:05 -0600, Josh R. wrote: > firstname.lastname@example.org > http://lists.rubyonrails.org/mailman/listinfo/rails Charlie B. http://www.recentrambles.com
on 2006-03-01 16:51
Charlie B. wrote: > I'm also very curious about this question. > > On Tue, 2006-02-28 at 21:05 -0600, Josh R. wrote: > >> email@example.com >> http://lists.rubyonrails.org/mailman/listinfo/rails > > Charlie B. > http://www.recentrambles.com Just with experience with Phishing I would disallow the use of "@" characters in URLs since they are usually used in user/password on website tricks like http://www.ebay.com:firstname.lastname@example.org Probably wouldn't be as effective as a phishing method on a website but you never know.