Blog of Daniel Ruf


target="_blank" considered harmful


Often links can be abused to take control of pages. This is a problem that is known for a very long time but it seems many developers are not aware of this or forgot about this.


don't blindly trust FILTER_VALIDATE_URL


Valid URLs can use a wide range of different protocols. This requires strict validation of user supplied URLs combined with correct checks. Too lax or wrong checks can quickly lead to vulnerabilities.