Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am currently working with some existing code that takes a URL out of the request and inputs it into the source of an anchor. This is clearly an opening for XSS and using urlencoding doesn’t retain the sanity of the url inside the anchor. I’m curious what the safest way to escape the data without breaking the link would be.
i.e.
<?
$url = $_REQUEST['url'];
echo '<a href="' . $url . '">sometext</a>';
?>
htmlspecialchars($url)will convert the HTML-sensitive characters to their entity equivalents. However, it is possible to insert javascript snippets into urls as well — details of which I am personally not knowledgeable of. A more complex solution such as HTML Purifier may assist you in covering most vulnerabilities.