PHP prevent "javascript:" link injection

Question

I'm making a website that allows users to store user preferences in a database, including links.

But i've realised that if a user enters javascript: // Malicious code here they can execute any javascript on the page, including the ability to get session ID's.

( The links are shown to other users, thus I want to prevent this from happening )

I've tried the following things to prevent this but they all don't work:

htmlentities()
htmlspecialchars()
strip_tags()
addslashes()

Quick example of my code:

$link  = // queried from the database.
$title = // queried from the database.

echo '<a href="'. $link .'">'. $title .'</a>';

If you know how I could fix this it would be very much appriciated.

They can't do anything they couldn't already do by opening the Javascript console. — Barmar
– Barmar, Commented Jun 29, 2014 at 23:15
Unless you're showing the links to different users than the ones that set them. — Barmar
– Barmar, Commented Jun 29, 2014 at 23:16
@Barmar, Users have the ability to add a link to a personal page, if any other user would visit they would run the malicious code; thus allowing for their accounts to get hacked. — Paradoxis
– Paradoxis, Commented Jun 29, 2014 at 23:16
Take a look at what happens if you try to put javascript:something in your website address in your StackOverflow profile. — Barmar
– Barmar, Commented Jun 29, 2014 at 23:20

Ali Akbar Azizi · Accepted Answer · 2014-06-29 23:24:08Z

3

You can test link with FILTER_VALIDATE_URL

Here is an example

if(!filter_var($url, FILTER_VALIDATE_URL))
  {
  echo "URL is not valid";
  }
else
  {
  echo "URL is valid";
  }

answered Jun 29, 2014 at 23:24

Ali Akbar Azizi

3,5654 gold badges31 silver badges50 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Mike Samuel · Accepted Answer · 2014-06-30 10:36:23Z

2

You should whitelist URLs by protocol. There are too many ways to obfuscate javascript: by varying case, inserting NULs, BOMs, space characters, etc. for a simple test to reliably identify all javascript: URLs.

If you want to allow only URLs with protocol

http
https
mailto
tel

then you can test your input against a regex like

/\A(?:https?:\/\/|mailto:|tel:|[^:]*(?:\/|\z))/i

which will pass any URL that has one of the protocols above, and any relative (or protocol relative) URL that does not have a colon before the first /.

edited Jun 30, 2014 at 10:36

answered Jun 29, 2014 at 23:23

Mike Samuel

121k30 gold badges230 silver badges255 bronze badges

Comments

jcaron · Accepted Answer · 2014-06-29 23:21:05Z

1

You'll need to test the links, probably with a regular expression, possibly '^https?://'

answered Jun 29, 2014 at 23:21

jcaron

17.8k6 gold badges36 silver badges47 bronze badges

Collectives™ on Stack Overflow

PHP prevent "javascript:" link injection

3 Answers 3

Comments

Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related