Best way to handle security and avoid XSS with user entered URLs

by

If you think URLs can’t contain code, think again!

https://owasp.org/www-community/xss-filter-evasion-cheatsheet

Read that, and weep.

Here’s how we do it on Stack Overflow:

/// <summary>
/// returns "safe" URL, stripping anything outside normal charsets for URL
/// </summary>
public static string SanitizeUrl(string url)
{
    return Regex.Replace(url, @"[^-A-Za-z0-9+&@#/%?=~_|!:,.;\(\)]", "");
}

More Related Contents:

  1. Will HTML Encoding prevent all kinds of XSS attacks?
  2. What is cross site scripting?
  3. If you use HTTPS will your URL params will be safe from sniffing? [duplicate]
  4. https URL with token parameter : how secure is it?
  5. Difference between Hashing a Password and Encrypting it
  6. What are the best practices for avoiding xss attacks in a PHP site [closed]
  7. XMLHttpRequest cannot load file. Cross origin requests are only supported for HTTP
  8. Why Does OAuth v2 Have Both Access and Refresh Tokens?
  9. What is the best way to prevent session hijacking?
  10. How to restrict Firebase data modification?
  11. Why is security through obscurity a bad idea? [closed]
  12. Classic ASP SQL Injection Protection
  13. Password hashing, salt and storage of hashed values
  14. How are software license keys generated?
  15. Preventing Brute Force Logins on Websites
  16. Are Google Cloud Functions protected from DDoS attacks?
  17. Does HTML5 allow you to interact with local client files from within a browser
  18. Docker and securing passwords
  19. OAuth2 and Google API: access token expiration time?
  20. CodeIgniter – why use xss_clean
  21. What is the best Distributed Brute Force countermeasure? [closed]
  22. SSL Error: unable to get local issuer certificate
  23. curl – Is data encrypted when using the –insecure option?
  24. How to redirect all HTTP requests to HTTPS using .htaccess rules?
  25. How do you configure HttpOnly cookies in tomcat / java webapps?
  26. How to pass the value of a variable to the standard input of a command?
  27. Keygen tag in HTML5
  28. How to send password securely via HTTP using Javascript in absence of HTTPS?
  29. Remember me Cookie best practice?
  30. buffer overflow example from Art of Exploitation book

Leave a Comment