September 25th, 2012, 05:28 PM
Security risks allowing link setting by users
I am setting up a semi-public input environment - easiest to think in terms of a forum - and wonder about the security risks allowing users to add href links.
I see this forum allows that.
I figure even if BBCode is the interface the posting is still a live URL.
XSS - js injection (I'm trying to sound intelligent here )
Perhaps totally a non-issue?
I will be interested to have you thoughts
September 25th, 2012, 05:47 PM
It's not an XSS/JS injection problem if you only allow people to add links. htmlentities() it, stick it in an href, and you're done.
The only risk is that people will use it to spam/phish/etc. and that should be handled with, at the very least, some sort of moderation mechanism. Blacklists are fine but you will never even get close to catching everything.
September 25th, 2012, 07:07 PM
As I say it is semi-public so moderating is relatively easy.
I agree blacklists are almost useless.
I will let them loose - or is that lose?
September 25th, 2012, 09:44 PM
Let 'em loose, I say. Some people say you should strip HTML and censor stuff but I disagree.