Hi, I'm working on a web app that allows users to submit links to external sites. I'm curious if there are any special security considerations I should take aside from escaping the user input with h( )? Is it safe to directly link_to h(user_inputted_url), h(user_inputted_url) or could that be exploited in a way that I'm not thinking of. Thanks.
on 2006-03-01 04:05
on 2006-03-01 14:25
I'm also very curious about this question. On Tue, 2006-02-28 at 21:05 -0600, Josh Rickard wrote: > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails Charlie Bowman http://www.recentrambles.com
on 2006-03-01 15:51
Charlie Bowman wrote: > I'm also very curious about this question. > > On Tue, 2006-02-28 at 21:05 -0600, Josh Rickard wrote: > >> Rails@lists.rubyonrails.org >> http://lists.rubyonrails.org/mailman/listinfo/rails > > Charlie Bowman > http://www.recentrambles.com Just with experience with Phishing I would disallow the use of "@" characters in URLs since they are usually used in user/password on website tricks like http://www.ebay.com:firstname.lastname@example.org Probably wouldn't be as effective as a phishing method on a website but you never know.