I have used HTML purifier to weed out any suspect stuff coming in from my public facing WYSIWYG editor. The incoming HTML is also displayed in the public portion of the website.
I have allowed links, and I also automatically linkify URLs in plain text (using the purifier).
Is there a way to allow external links, but ban links to the same domain? E.g my domain is http://www.example.com
http://www.google.com will be linked.
http://www.example.com/logout/ will not be linked.
I am looking at minimizing any interference from malicious users. Should I just make my logout link a form action with a POST key/value pair to stop this from happening?
Thanks
Your login/out form should ALWAYS be POST-only.
Don’t worry about a verification value, but this is a pretty important security issue – any transactions which change the state of the webserver should be POST requests. You should NEVER allow http://example.com/object?action=delete, or any variant thereof. PHP encourages bad practice in this matter, but you should ALWAYS use one or the other, and NEVER allow both.
If your users can write forms into your WYSIWYG editor, you’ve got far bigger problems than this.
To answer your original question, to disable internal links, use
URI.HostBlacklistand be sure to setURI.MakeAbsolute:http://htmlpurifier.org/live/configdoc/plain.html#URI.HostBlacklist