Databases
StackOverflow2013
Postsdbo
POBest way to handle security and avoid XSS with user entered URLs
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POBest way to handle security and avoid XSS with user entered URLs
    text
    copied!<p>We have a high security application and we want to allow users to enter URLs that other users will see.</p> <p>This introduces a high risk of XSS hacks - a user could potentially enter javascript that another user ends up executing. Since we hold sensitive data it's essential that this never happens.</p> <p>What are the best practices in dealing with this? Is any security whitelist or escape pattern alone good enough? </p> <p>Any advice on dealing with redirections ("this link goes outside our site" message on a warning page before following the link, for instance)</p> <p>Is there an argument for not supporting user entered links at all?</p> <hr> <p>Clarification:</p> <p>Basically our users want to input: </p> <blockquote> <p>stackoverflow.com</p> </blockquote> <p>And have it output to another user:</p> <pre><code>&lt;a href="http://stackoverflow.com"&gt;stackoverflow.com&lt;/a&gt; </code></pre> <p>What I really worry about is them using this in a XSS hack. I.e. they input:</p> <blockquote> <p>alert('hacked!');</p> </blockquote> <p>So other users get this link:</p> <pre><code>&lt;a href="alert('hacked!');"&gt;stackoverflow.com&lt;/a&gt; </code></pre> <p>My example is just to explain the risk - I'm well aware that javascript and URLs are different things, but by letting them input the latter they may be able to execute the former.</p> <p>You'd be amazed how many sites you can break with this trick - HTML is even worse. If they know to deal with links do they also know to sanitise <code>&lt;iframe&gt;</code>, <code>&lt;img&gt;</code> and clever CSS references?</p> <p>I'm working in a high security environment - a single XSS hack could result in very high losses for us. I'm happy that I could produce a Regex (or use one of the excellent suggestions so far) that could exclude everything that I could think of, but would that be enough?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload