I'm working on an app that would allow people to enter arbitrary URL's that would be included in <a href="ARBITRARY URL"> and <img src="ARBITRARY URL" /> tags.

What type of security risks am I looking at?

The app is coded in PHP, and the only security countermeasure I currently perform is using PHP's htmlentities() function against the input URL before sending it as HTML. I'm also checking to make sure that the URL text starts with either http:// or https:// but I don't know if that's accomplishing anything, security wise.

What else should I be doing to ensure the security of my end users?

Accepted Answer

Take a look at the XSS Checklist.

Written by ryeguy
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki