Securely rendering hyperlinks in untrusted text
As part of a project, I'm accepting text fro开发者_JAVA百科m a user via web form and displaying it on a web page. The text they provide may contain URLs, if so I'd like to render it as a hyperlink for improved experience. For example the user might submit text containing http://www.google.com
and I want to convert it to <a href="http://www.google.com">...
I'm wondering what security issues I should be aware of while doing this. I've already taken measures to avoid any simple XSS insertions, because my XML library will escape any special characters, but I imagine there are more sophisticated attacks.
In addition to ignoring javascript:, you should probably only make hyperlinks for the http: protocol, because there are certain applications that can be launched or controlled through other protocols. Steam, Skype, and AOL Messenger come to mind.
If you are only surrounding URLs with a
elements, the only problem that should arrise if they enter a malicious URL (it might be shortened) and you end up clicking it, provided all other means of attack are secure in your software (e.g. can not execute arbitrarily JavaScript, etc).
Make sure you don't consider the javascript:
pseudo protocol when you are matching URLs. Nothing nice could come of that.
精彩评论