As part of a project, I’m accepting text from a user via web form and displaying it on a web page. The text they provide may contain URLs, if so I’d like to render it as a hyperlink for improved experience. For example the user might submit text containing http://www.google.com and I want to convert it to <a href="http://www.google.com">...
I’m wondering what security issues I should be aware of while doing this. I’ve already taken measures to avoid any simple XSS insertions, because my XML library will escape any special characters, but I imagine there are more sophisticated attacks.
In addition to ignoring javascript:, you should probably only make hyperlinks for the http: protocol, because there are certain applications that can be launched or controlled through other protocols. Steam, Skype, and AOL Messenger come to mind.