How to avoid website hijacking?

  • Thread starter Thread starter Anton
  • Start date Start date
A

Anton

hi

I'm creating a website where people can posts comments etc, i fear that
someone can post script into the comment field and the script will redirect
the user to a different website - hijacking my website..

not sure how to avoid this

I know it some kind of test I should do on what the user types into the
comment field, but not sure how to do that test

any ideas?
 
Do you want to allow some markup ?

Possible options are :

- use HTMLEncode, this way *all* markup will be considered as text and will
be just displayed (you could still recognize http scheme and add the link
yourself)

- if you want still to allow some code but not all you'll have to check the
input for sanity. Try Googling for "html sanitizer". I would recommend a
white list approach (i.e. rather than searching what is dangerous, all is
dangerous expect what you allowed). Also be aware of cases such as putting
javascript: in an src attribute which could perhaps run on some browser...

- AFAIK some are using special tags such as found in wikis. This way you
don't allow any HTML markup but still users are able to do some formatting

#3 would be likely my personal preference i..e comments are NOT html markup
still [http://www.mysite.com] or [http://mmy.site.com/myimage.png] could be
turned into a "a" and "img" tag but safely and used with explicit user
consent by clicking on the link. It is likely easier than avoiding to
introduce possisbly exploits in the allowed HTML markup.
 
The ASP .NET engine contains code to check for cross site scripting attacks
and does this automatically for you. You don't need to worry about scripts
being entered into your controls.

-Scott
 
The ASP .NET engine contains code to check for cross site scripting
attacks and does this automatically for you. You don't need to worry
about scripts being entered into your controls.
Click to expand...

Works but if you do nothing then you can't use < or > which could be a
problem depending on the kind of comments you expect (if the site is about
HTML or programming it won't fit as is...). I agree though this is where the
OP should start...
 
Back
Top