Possible for hacker to force redirection from a given domain?

Question

Hey everyone,

I've got a section on my site which allows users to upload a link in their profile, to their MySpace account. In order to secure other users, I want to to hard code the domain name (www.myspace.com/) and append the user's (sanitized) input. To me, this seems pretty secure and ensures that it always goes to MySpace.com. However, is there any way a malicious user can append a tag to the end "www.myspace.com" which redirects it to another site? Or, since the domain name is hardcoded, anything added after that will simply lead to a 404 error?

Thanks

Answer 1

Firstly, you must sanitize the input (as you note). Assuming you do, then if the domain is hardcoded, the link will go to the servers at myspace.com, and it's up to myspace.com to do the right thing with possibly bad input. But it will not be hijacked to another domain.

If you don't sanitize, a user could enter something like

myname" onclick="do_evil_stuff...">...

and that could hijack the link.