Hi folks,
Is there an issue with urls and security? How should I be encoding them? More than just h()?
thanks
I've read hundreds of these guides: they tell you to encode but usually not how in differing circmstances. The rails docs aren't well cross referenced, so they are out also.
That's why I am asking in a newsgroup.
Do you know the answer?
Ok, thanks for that.
Here's an example of what I mean:
I want to let the user click a user provided url. That url could be composed of javascript. I am asusming h() won't help for this situation. Is my only option whitelisting?
If whitelisting is it then I would prefer not to trust myself to the (rather fragile) url Regex's out there. How do I know they won't leak? These security guides often don't tell how, just that you must. And there is no standardised library that I know of.
itsastickup wrote:
Ok, thanks for that.
Here's an example of what I mean:
I want to let the user click a user provided url. That url could be composed of javascript. I am asusming h() won't help for this situation. Is my only option whitelisting?
If whitelisting is it then I would prefer not to trust myself to the (rather fragile) url Regex's out there. How do I know they won't leak? These security guides often don't tell how, just that you must. And there is no standardised library that I know of.
Thanks for this further explanation. What you are describing is a little different than what I understood from the OP. Basic rule of thumb is "Never trust ANY user input!" This is especially true if you are accepting URL's from users.
In this case since you are taking a URL as an input parameter from the user then you certainly should sanitize that input using html_escape (i.e. h) method when outputting the value. It might even be safer in this case to sanitize the input value before saving it to the database or other persistent storage. This should ensure that any attempt to inject JavaScript, or other unsafe user input, get treated as literal text.