3

I have a site where users can supply a URL of their choice.

I'm sure it's a security hole so what should I do to tighten that down without losing too much flexability?

If I were to leave it, how could I render a link or build a route such that I could link users externally? This doesn't work (of course):

<a href="@item.Location" target="_self">@item.Title</a>
Improve this question
3
  • 3
    Web browsers allow users to supply a URL of their choice too. :) Commented Dec 6, 2011 at 8:15
  • Agreed :) However, there is a business need to provide helpful links to people coming to this page. Commented Dec 6, 2011 at 8:19
  • The best place to ensure that user-provided URLs don't mess with the site is when validating input. This way, URIs like javascript:alert("Wat!") can be disallowed without removing the protocol-part of the URL. Users should have the freedom to choose between giving http:// or https:// URLs, for example. Commented Aug 13, 2015 at 13:26

1 Answer 1

Reset to default
7

Append protocol before @item.URL like this: 

<a href="http://@item.URL" target="_blank">@Html.DisplayFor(modelItem => item.Title)</a>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.