Safe to use URLs from users as HTML attribute values?

powderkeg · March 28, 2015, 3:33am

I’ve been meaning to ask this for some time now. Is it safe to take user URLs and plug them into HTML attribute values? For example, letting users enter their own custom avatars hosted on other locations and the meteor app’s template page is like so:

…
[img src="{{userAvatarExternalURL}}" /]
…

or -

…
[img src="{{{userAvatarExternalURL}}}" /]
…

Is it possible for the user to enter a link containing a fake image file (that has arbitrary js code instead) and have it execute on my Meteor app? I’ve read about this already, but I’m looking for confirmation whether it’s safe or not to do.

arunoda · March 28, 2015, 4:12am

You are referring to XSS attacks.

If you use {{}} blaze will do some checks on XSS and prevent common attacks.

If you need more control, use browser-policy package.

Check this: https://meteorhacks.com/xss-and-meteor.html

powderkeg · March 28, 2015, 5:14am

What if the link looks legit, but the data within the referred link is not? The browser-policy package can help prevent that code from executing?

arunoda · March 28, 2015, 7:03am

Yes. Browser policy uses some standard browser technology. It’s something baked into the browser.