Best way to handle security and avoid XSS with user entered URLs

security url xss html-sanitizing
Keith picture Keith · Oct 15, 2008 · Viewed 48k times · Source

We have a high security application and we want to allow users to enter URLs that other users will see.

This introduces a high risk of XSS hacks - a user could potentially enter javascript that another user ends up executing. Since we hold sensitive data it's essential that this never happens.

What are the best practices in dealing with this? Is any security whitelist or escape pattern alone good enough?

Any advice on dealing with redirections ("this link goes outside our site" message on a warning page before following the link, for instance)

Is there an argument for not supporting user entered links at all?

Clarification:

Basically our users want to input:

stackoverflow.com

And have it output to another user:

<a href="http://stackoverflow.com">stackoverflow.com</a>

What I really worry about is them using this in a XSS hack. I.e. they input:

alert('hacked!');

So other users get this link:

<a href="javascript:alert('hacked!');">stackoverflow.com</a>

My example is just to explain the risk - I'm well aware that javascript and URLs are different things, but by letting them input the latter they may be able to execute the former.

You'd be amazed how many sites you can break with this trick - HTML is even worse. If they know to deal with links do they also know to sanitise <iframe>, <img> and clever CSS references?

I'm working in a high security environment - a single XSS hack could result in very high losses for us. I'm happy that I could produce a Regex (or use one of the excellent suggestions so far) that could exclude everything that I could think of, but would that be enough?

Answer

Jeff Atwood picture Jeff Atwood · Oct 15, 2008

If you think URLs can't contain code, think again!

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Read that, and weep.

Here's how we do it on Stack Overflow:

/// <summary>
/// returns "safe" URL, stripping anything outside normal charsets for URL
/// </summary>
public static string SanitizeUrl(string url)
{
    return Regex.Replace(url, @"[^-A-Za-z0-9+&@#/%?=~_|!:,.;\(\)]", "");
}

Related questions

https URL with token parameter : how secure is it?

On our site, we provide to users a simulation based on their private information (given through a form). We would like to allow them to get back on their simulation results later, but without forcing them to create a login/…

Read More
Change Joomla Administrator URL

Update: Since this question was asked Joomla StackExchange has been setup and the same questions exists there please add any answers or comments to that question Original: I am using Joomla 3.0.3 for a fairly big new client, security is a …

Read More
Why is using a URL containing a colon considered as a "potentially dangerous request"?

Someone (probably a bot) sent a request with the following URL to my ASP.NET 4.0 web forms application (running on IIS 7.0): http://ipaddress-of-my-applications-domain/bla1.bla2.bla3.bla4.bla5:) This caused an System.Web.HttpException. I received a logging email from …

Read More