Hi, I''m working on a web app that allows users to submit links to external sites. I''m curious if there are any special security considerations I should take aside from escaping the user input with h( )? Is it safe to directly link_to h(user_inputted_url), h(user_inputted_url) or could that be exploited in a way that I''m not thinking of. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060301/fadc828d/attachment.html
I''m also very curious about this question. On Tue, 2006-02-28 at 21:05 -0600, Josh Rickard wrote:> Hi, > > I''m working on a web app that allows users to submit links to external > sites. I''m curious if there are any special security considerations I > should take aside from escaping the user input with h( )? Is it safe > to directly link_to h(user_inputted_url), h(user_inputted_url) or > could that be exploited in a way that I''m not thinking of. Thanks. > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/railsCharlie Bowman http://www.recentrambles.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060301/42244d31/attachment-0001.html
Charlie Bowman wrote:> I''m also very curious about this question. > > On Tue, 2006-02-28 at 21:05 -0600, Josh Rickard wrote: > >> Rails@lists.rubyonrails.org >> http://lists.rubyonrails.org/mailman/listinfo/rails > > Charlie Bowman > http://www.recentrambles.comJust with experience with Phishing I would disallow the use of "@" characters in URLs since they are usually used in user/password on website tricks like http://www.ebay.com:blahblah@hackerswebsite.com Probably wouldn''t be as effective as a phishing method on a website but you never know. -- Posted via http://www.ruby-forum.com/.