I'm working on an app that would allow people to enter arbitrary URL's that would be included in <a href="ARBITRARY URL"> and <img src="ARBITRARY URL" /> tags.
What type of security risks am I looking at?
The app is coded in PHP, and the only security countermeasure I currently per开发者_StackOverflowform is using PHP's htmlentities() function against the input URL before sending it as HTML. I'm also checking to make sure that the URL text starts with either http:// or https:// but I don't know if that's accomplishing anything, security wise.
What else should I be doing to ensure the security of my end users?
Take a look at the XSS Checklist.
It is possible to construct an image that is also a valid javascript file, and get a browser to execute it. See http://www.thinkfu.com/blog/?p=15
SVG images (mime-type image/svg+xml) can contain javascript. See http://www.w3.org/TR/SVG/interact.html
You should sanitize at all times, img tags are vulnerable to cross-site-scripting
You would like to read about XSS (Cross site scripting) and XSRF (Cross site request forgery)
EDIT: As pointed out by ryeguy, you can pretty much copy and paste any of the examples in XSS (Cross Site Scripting) Cheat Sheet and seek the best way to prevent from them accordingly.
In addition, it is possible to insert whole images into URLs using inline data in newer browsers. It might be possible to inject something through there, however that would require a gaping browser-side security hole and I would not know how to sanitize something like that.
Maybe you just want to restrict access to certain domains, or check whether an image physically exists? That might already help a lot.
CSRF:
<img src="http://example.org/accounts/123/delete" />
In addition to the great answers so far, the xss cheat sheet doesn't really account for event attributes like onmouseover onhover etc. These are all, by design, to allow someone to run some javascript when something happens.
 
         
                                         
                                         
                                         
                                        ![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif) 
                                         
                                         
                                         
                                         加载中,请稍侯......
 加载中,请稍侯......
      
精彩评论