#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    22
    Rep Power
    0

    Security risks allowing link setting by users


    I am setting up a semi-public input environment - easiest to think in terms of a forum - and wonder about the security risks allowing users to add href links.

    I see this forum allows that.
    I figure even if BBCode is the interface the posting is still a live URL.

    XSS - js injection (I'm trying to sound intelligent here )

    Perhaps totally a non-issue?
    I will be interested to have you thoughts
  2. #2
  3. Come play with me!
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,756
    Rep Power
    9397
    It's not an XSS/JS injection problem if you only allow people to add links. htmlentities() it, stick it in an href, and you're done.
    The only risk is that people will use it to spam/phish/etc. and that should be handled with, at the very least, some sort of moderation mechanism. Blacklists are fine but you will never even get close to catching everything.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    22
    Rep Power
    0
    As I say it is semi-public so moderating is relatively easy.

    I agree blacklists are almost useless.

    I will let them loose - or is that lose?

    Thanks
  6. #4
  7. Come play with me!
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,756
    Rep Power
    9397
    Let 'em loose, I say. Some people say you should strip HTML and censor stuff but I disagree.

IMN logo majestic logo threadwatch logo seochat tools logo