Safe html links

Hi,

I’m working on a web app that allows users to submit links to external
sites. I’m curious if there are any special security considerations I
should take aside from escaping the user input with h( )? Is it safe to
directly link_to h(user_inputted_url), h(user_inputted_url) or could
that be
exploited in a way that I’m not thinking of. Thanks.

I’m also very curious about this question.

On Tue, 2006-02-28 at 21:05 -0600, Josh R. wrote:

[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails

Charlie B.
http://www.recentrambles.com

Charlie B. wrote:

I’m also very curious about this question.

On Tue, 2006-02-28 at 21:05 -0600, Josh R. wrote:

[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails

Charlie B.
http://www.recentrambles.com

Just with experience with Phishing I would disallow the use of “@”
characters in URLs since they are usually used in user/password on
website tricks like

http://www.ebay.com:[email protected]

Probably wouldn’t be as effective as a phishing method on a website but
you never know.