security question : making urls safe

Hi folks,

Is there an issue with urls and security? How should I be encoding
them? More than just h()?

thanks

http://guides.rubyonrails.org/security.html

I've read hundreds of these guides: they tell you to encode but
usually not how in differing circmstances. The rails docs aren't well
cross referenced, so they are out also.

That's why I am asking in a newsgroup.

Do you know the answer?

Ok, thanks for that.

Here's an example of what I mean:

I want to let the user click a user provided url. That url could be
composed of javascript. I am asusming h() won't help for this
situation. Is my only option whitelisting?

If whitelisting is it then I would prefer not to trust myself to the
(rather fragile) url Regex's out there. How do I know they won't leak?
These security guides often don't tell how, just that you must. And
there is no standardised library that I know of.

itsastickup wrote:

Ok, thanks for that.

Here's an example of what I mean:

I want to let the user click a user provided url. That url could be
composed of javascript. I am asusming h() won't help for this
situation. Is my only option whitelisting?

If whitelisting is it then I would prefer not to trust myself to the
(rather fragile) url Regex's out there. How do I know they won't leak?
These security guides often don't tell how, just that you must. And
there is no standardised library that I know of.

Thanks for this further explanation. What you are describing is a little
different than what I understood from the OP. Basic rule of thumb is
"Never trust ANY user input!" This is especially true if you are
accepting URL's from users.

In this case since you are taking a URL as an input parameter from the
user then you certainly should sanitize that input using html_escape
(i.e. h) method when outputting the value. It might even be safer in
this case to sanitize the input value before saving it to the database
or other persistent storage. This should ensure that any attempt to
inject JavaScript, or other unsafe user input, get treated as literal
text.