Escape User-generated Content - What Does That Mean?
Solution 1:
To escape something means that you convert possible harmful characters into something that is not harmful for the computer to translate.
For example:
url = "<script>doSomeNastyStuff();</script>";
is a possible harmful string of contents. Mainly because youre storing plain javascript somewhere in your application.
When escaping this you're basically turning this into something not harmful at all.
Example:
url = "\"\x3Cscript\x3EdoSomeNastyStuff();\x3C\x2Fscript\x3E\"";
Now you've turned the harmful script into normal characters and when printed or stored you will not have to worry about a harmful script being injected into your code.
Other examples of escaping characters is this
var sayHello = "Hello "world", as you like to call yourself";
Now, this unescaped in javascript code would produce an error because the string has been terminated and the word 'world' is now a variable and then a new string starts.
This is the same string escaped to allow for quotation marks.
var sayHello = "Hello \"world\", as you like to call yourself";
And it's perfectly valid!
What Dillen suggests is exactly the right way for you to solve your problem but I thought explaining the escaping method would be appropriate as well.
Solution 2:
You must URL encode your URL, you can do this with any programming language. For more information see: http://www.permadi.com/tutorial/urlEncoding/
Javascript
var url = encodeURIComponent("http://example.com");
PHP
$url = urlencode("http://example.com");
C#
var url = HttpUtility.UrlEncode("http://example.com");
Post a Comment for "Escape User-generated Content - What Does That Mean?"