/    Sign up×
Community /Pin to ProfileBookmark

Outputting Third Party Submitted Links

Copy linkTweet thisAlerts:
Jun 06.2022

I guess, if a visitor to my website submits his url along with the anchor tags like this:

[code]
<a href=”http://visitor-site.com”>My Site</a>
[/code]

Then, I should modify the output to the following to securely output the link on my page:

[code]
echo htmlspecialchars(“<a href=”http://visitor-site.com”>My Site</a>”);
[/code]

Yes ? Or, would you output it differently ?

to post a comment
PHP

5 Comments(s)

Copy linkTweet thisAlerts:
@NogDogJun 06.2022 — Only if you don't want the link to actually work like a link (i.e. that will just display the raw text, it will not be an actual HTML element.)
Copy linkTweet thisAlerts:
@novice2022authorJun 06.2022 — Q2.

This time, imagine your visitor just submitted his url. Not the link. No anchor tags or html tags.

Submitted like this:

http://visitor-site.com/autos/?cat=cars

Now how would you output that to your page securely ?

I would do it like following. Is it ok or not ?
<i>
</i>echo '&lt;a href=' .' " ' .'http://visitor-site.com' .'/ ' .rawurlencode(autos) . '/' .'cat=' .urlencode(cars) .' " ' .'click here' .'&lt;/a&gt;';

Maybe you would do it some other simpler way to turn the url into a link ?
Copy linkTweet thisAlerts:
@novice2022authorJun 06.2022 — @NogDog#1644550

Yes. On the first example, I just want to display the user submitted html tags and their submitted url as is as submitted by user and make sure the browser does not render it.

On the second example, I want to turn the user submitted url into a clickable link by putting my own anchor tag.
Copy linkTweet thisAlerts:
@NogDogJun 06.2022 — Personally, I would only allow them to submit the plain URL (and maybe a separate field for the display text if you want). Then I might do an initial input validation along the lines of:
[code=php]
if(strip_tags($url) != $url) {
// error: html tags not allowed
}
[/code]
Copy linkTweet thisAlerts:
@novice2022authorJun 08.2022 — @NogDog#1644559

Ok. Thanks. I understand.

Nevertheless, let me learn the coding. Is my code ok here or not ?

https://forum.webdeveloper.com/d/399967-outputting-third-party-submitted-links/3
×

Success!

Help @novice2022 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.17,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...