Safe html links


#1

Hi,

I’m working on a web app that allows users to submit links to external
sites. I’m curious if there are any special security considerations I
should take aside from escaping the user input with h( )? Is it safe to
directly link_to h(user_inputted_url), h(user_inputted_url) or could
that be
exploited in a way that I’m not thinking of. Thanks.


#2

I’m also very curious about this question.

On Tue, 2006-02-28 at 21:05 -0600, Josh R. wrote:

removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails

Charlie B.
http://www.recentrambles.com


#3

Charlie B. wrote:

I’m also very curious about this question.

On Tue, 2006-02-28 at 21:05 -0600, Josh R. wrote:

removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails

Charlie B.
http://www.recentrambles.com

Just with experience with Phishing I would disallow the use of “@”
characters in URLs since they are usually used in user/password on
website tricks like

http://www.ebay.com:removed_email_address@domain.invalid

Probably wouldn’t be as effective as a phishing method on a website but
you never know.