Forum: Ruby on Rails safe html links

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
B2c94554798f93efc509f076d5ba8c9c?d=identicon&s=25 Josh Rickard (Guest)
on 2006-03-01 04:05
(Received via mailing list)
Hi,

I'm working on a web app that allows users to submit links to external
sites.  I'm curious if there are any special security considerations I
should take aside from escaping the user input with h( )?  Is it safe to
directly link_to h(user_inputted_url), h(user_inputted_url) or could
that be
exploited in a way that I'm not thinking of.  Thanks.
89d967359903c639d31e4cad4569f537?d=identicon&s=25 Charlie Bowman (Guest)
on 2006-03-01 14:25
(Received via mailing list)
I'm also very curious about this question.

On Tue, 2006-02-28 at 21:05 -0600, Josh Rickard wrote:

> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

Charlie Bowman
http://www.recentrambles.com
C728d93eb5205cf20cac0c2928b0ad62?d=identicon&s=25 Jeff Jones (rurounijones)
on 2006-03-01 15:51
Charlie Bowman wrote:
> I'm also very curious about this question.
>
> On Tue, 2006-02-28 at 21:05 -0600, Josh Rickard wrote:
>
>> Rails@lists.rubyonrails.org
>> http://lists.rubyonrails.org/mailman/listinfo/rails
>
> Charlie Bowman
> http://www.recentrambles.com

Just with experience with Phishing I would disallow the use of "@"
characters in URLs since they are usually used in user/password on
website tricks like

http://www.ebay.com:blahblah@hackerswebsite.com

Probably wouldn't be as effective as a phishing method on a website but
you never know.
This topic is locked and can not be replied to.