I'm working on an app that would allow people to enter arbitrary URL's that would be included in
<a href="ARBITRARY URL"> and
<img src="ARBITRARY URL" /> tags.
What type of security risks am I looking at?
The app is coded in PHP, and the only security countermeasure I currently perform is using PHP's htmlentities() function against the input URL before sending it as HTML. I'm also checking to make sure that the URL text starts with either
https:// but I don't know if that's accomplishing anything, security wise.
What else should I be doing to ensure the security of my end users?
Take a look at the XSS Checklist.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki