How to avoid website hijacking?

A

Anton

hi

I'm creating a website where people can posts comments etc, i fear that
someone can post script into the comment field and the script will redirect
the user to a different website - hijacking my website..

not sure how to avoid this

I know it some kind of test I should do on what the user types into the
comment field, but not sure how to do that test

any ideas?
 
P

Patrice

Do you want to allow some markup ?

Possible options are :

- use HTMLEncode, this way *all* markup will be considered as text and will
be just displayed (you could still recognize http scheme and add the link
yourself)

- if you want still to allow some code but not all you'll have to check the
input for sanity. Try Googling for "html sanitizer". I would recommend a
white list approach (i.e. rather than searching what is dangerous, all is
dangerous expect what you allowed). Also be aware of cases such as putting
javascript: in an src attribute which could perhaps run on some browser...

- AFAIK some are using special tags such as found in wikis. This way you
don't allow any HTML markup but still users are able to do some formatting

#3 would be likely my personal preference i..e comments are NOT html markup
still [http://www.mysite.com] or [http://mmy.site.com/myimage.png] could be
turned into a "a" and "img" tag but safely and used with explicit user
consent by clicking on the link. It is likely easier than avoiding to
introduce possisbly exploits in the allowed HTML markup.
 
S

Scott M.

The ASP .NET engine contains code to check for cross site scripting attacks
and does this automatically for you. You don't need to worry about scripts
being entered into your controls.

-Scott
 
P

Patrice

The ASP .NET engine contains code to check for cross site scripting
attacks and does this automatically for you. You don't need to worry
about scripts being entered into your controls.
Click to expand...

Works but if you do nothing then you can't use < or > which could be a
problem depending on the kind of comments you expect (if the site is about
HTML or programming it won't fit as is...). I agree though this is where the
OP should start...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

I need help making an html website 2
Connecting a database to Website 2
First website practice project advisement 4
Collect Excel Data from Website 5
un-"hijacking" a stolen website 6
A website that I couldn't make a screenshot of it nor save any page from. 1
Need help with code on website (noob) 2
Help with Python Flask on PI as server SSE to website 0

Members online

Total: 28 (members: 2, guests: 26)
Robots: 438

Forum statistics

Threads
473,768
Messages
2,569,574
Members
45,048
Latest member
verona

Latest Threads

Top