Using HTML Purifier to stop links to own site

StackOverflow https://stackoverflow.com/questions/1699151

Question

I have used HTML purifier to weed out any suspect stuff coming in from my public facing WYSIWYG editor. The incoming HTML is also displayed in the public portion of the website.

I have allowed links, and I also automatically linkify URLs in plain text (using the purifier).

Is there a way to allow external links, but ban links to the same domain? E.g my domain is www.example.com

http://www.google.com will be linked.

http://www.example.com/logout/ will not be linked.

I am looking at minimizing any interference from malicious users. Should I just make my logout link a form action with a POST key/value pair to stop this from happening?

Thanks

Was it helpful?

Solution

Your login/out form should ALWAYS be POST-only.

Don't worry about a verification value, but this is a pretty important security issue - any transactions which change the state of the webserver should be POST requests. You should NEVER allow http://example.com/object?action=delete, or any variant thereof. PHP encourages bad practice in this matter, but you should ALWAYS use one or the other, and NEVER allow both.

If your users can write forms into your WYSIWYG editor, you've got far bigger problems than this.

To answer your original question, to disable internal links, use URI.HostBlacklist and be sure to set URI.MakeAbsolute:

http://htmlpurifier.org/live/configdoc/plain.html#URI.HostBlacklist

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top