ES-Anon
commented
3 weeks ago -
Sanitize User Input
URL Validation: Before allowing a link to be added, ensure that the input is a valid URL. You can use built-in URL validation functions or regex patterns to check for proper URL formats. Limit Protocols: Restrict the protocols that can be used to only safe ones like https and http. Avoid allowing potentially dangerous protocols like file, javascript, or data.
if let url = URL(string: userInput), ["http", "https"].contains(url.scheme?.lowercased()) {
// Proceed with adding the link
} else {
// Reject the link
}-
Open Links in a Safe Environment
External Browser: Consider opening links in an external web browser (like Safari) rather than an embedded web view. This minimizes the attack surface within your app and leverages the security features of the browser.
-
Content Security
Prevent Script Injection: Ensure that any text content around the links is properly sanitized to prevent script injection (e.g., XSS attacks). Avoid rendering user-generated content as raw HTML. Link Shorteners: Be cautious with allowing or resolving shortened URLs, as they can obscure the destination URL. If you allow them, consider expanding the URL before displaying it to the user.
As a user, I'd like to be able to add web links to my cards.
I should be able to click them, and have the link open in my default browser.
⚠️ Security Note
Implementing this incorrectly could open security vulnerabilities. Be sure to research best-practices in terms of security (see comment for a place to start)