greenace92 Posted July 12, 2015 Share Posted July 12, 2015 (edited) I created this interface which will someday evolve into a full fledged-project management system, I am aware that others exist. I'm building this as a I see fit, I have many projects myself and in the future would like to have others use it in collaboration. Anyway, let's say I have a row and there is a link such as http://www.somesite.com and I wanted that to be echoed as a clickable link eg. place it in a <a href="(place here)"></a> . What kind of risks would I encounter? I bind_param everything that a person enters or queries in url. People save text (var type text) in a row. I'm not sure if I should "clean" these first. I'm not sure which to use escape or "shorten?" From a brief article that I skimmed over I wasn't sure if the links would be kept in the same place they were saved in with regard to the database entry or if they are positioned elsewhere. http://stackoverflow.com/questions/1188129/replace-urls-in-text-with-html-links I'd appreciate any thoughts. Thank you. Edited July 12, 2015 by greenace92 Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted July 12, 2015 Share Posted July 12, 2015 Not sure what you are asking but the stackoverflow post you linked to in your post goes through exactly what you need to and provides code which parses urls within text into HTML links (see the first post by Austin Burk). Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 12, 2015 Share Posted July 12, 2015 Yeah, that SO post pretty much gives you exactly what you're asking for. Quote Link to comment Share on other sites More sharing options...
greenace92 Posted July 17, 2015 Author Share Posted July 17, 2015 I was asking "What can happen" I realize I also may have asked how... I am concerned regarding intentional bad user intent... So if a person embedded a link which if clicked, executed some function... I suppose a target is always a risk as you would have to somehow know what the words mean or something... but I'm talking filtering. For instance when processing a form, you usually do stuff like escape, or replace characters, etc... what similar rules apply to links? Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 17, 2015 Share Posted July 17, 2015 (edited) Well, they can link to all sorts of things that are bad. Like websites infected with malware, downloads, phishing sites, etc. But as for your own site, as long as you only allow a legit http/https link and don't have any XSS vulnerabilities, you should be okay. Edited July 17, 2015 by scootstah Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.