I want to store user personal URLs as plain text encoded by htmlspecialchars ().
Then I would extract this data and generate and display a link:
echo '<a href="'.$retrieved_string.'" target="_blank">';
And yet, even with encoded special characters and quotation marks, href can be insecure due to the potentially bad javascript inserted of the bad link example:
javascript:alert(document.cookie);
So, I think we need to break the potential javascript tag (before I, of course, encode special characters), as follows:
preg_replace('/^javascript:?/', '', $submitted_and_trimmed_input);
So to summarize:
$input=htmlspecialchars(preg_replace('/^javascript:?/', '', trim($_POST['link'])),11,'UTF-8',true); mysql_query("update users set link='".mysql_real_escape_string($input)."'"); //And retrieving: $query=mysql_query("select link from users"); $a=mysql_fetch_assoc($query); echo '<a href="'.$a['link'].'" target="_blank">';
Now the question is, is there enough link for the link to the URL, or are there any other potential surprises that I should be warned about?
EDIT:
I read a little about filter_var () and it seems to completely fail in many ways. It does not check international domains with unicode characters, then again the line passes the test successfully:
http://example.com/"><script>alert(document.cookie)</script>
- I mean general ... it's just funny, there must be a better way
Anonymous
source share