I’ve been meaning to ask this for some time now. Is it safe to take user URLs and plug them into HTML attribute values? For example, letting users enter their own custom avatars hosted on other locations and the meteor app’s template page is like so:
…
[img src="{{userAvatarExternalURL}}" /]
…
-
or -
…
[img src="{{{userAvatarExternalURL}}}" /]
…
Is it possible for the user to enter a link containing a fake image file (that has arbitrary js code instead) and have it execute on my Meteor app? I’ve read about this already, but I’m looking for confirmation whether it’s safe or not to do.