Hello everyone, I have done pretty well to prevent XSS Insertions by not allowing HTML to be entered in edtible text areas. However, what if somebody has the following situation. Let's say you wanted to give users a way to enter a URL in an input form. This URL could be a previous employer's website, education institution, or even a portfolio. Lets say the client entering the URL worked for Google. So they enter http://www.google.com into the input field and click submit. This website is dynamic so it will automatic appear as follows: <a href="http://www.google.com" target="_blank">http://www.google.com</a> That worked great!!! Now, here is the problem. What if a hacker came along and entered something like this in the text area. http://www.google.com" onclick="JAVASCRIPT The link would then appear as follows: <a href="http://www.google.com" onclick="JAVASCRIPT" target="_blank">http://www.google.com</a> Obviously, without prevention, a hacker could use any javascript he / she wanted. They could send the person to some other website or even import their own code. How can I, as a programmer, prevent this from happening? Thanks for any advice as it is always appreciated. Sincerely, Travis Walters
it's basically the same thing, just parse the url for any bad characters and replace them with there entity equivalents. If you have 3rd party links it's a good idea to list in your terms of service that you are not liable for any damaged caused by external links.
Hey there, Thanks for the advice. I will definately put that in my terms of service. Sincerely, Travis Walters