Safely passing a URL through a URL to open in iframe

Question

Hi, I'm trying to pass URL to a website so it can be opened in an iframe, the URL is for a registration confirmation so users get their id / password, I know how to do that and the URL opens fine, but what are the implications for the website it is being passed to (it is an online store).

Here is the script on the store site:

<? 
echo ($lnk); echo"<br>"; 
echo"<iframe src =\"" . $lnk . "\" width=\"1000\" height=\"900\"></iframe>"; 
?>

Obviously this needs to be secured, but I'm only beginning to learn security and I can't have this go online without being certain it is safe, any help is appreciated.

Answer 1

If you intend to echo a $_POST value, it really cant be secured. You could for example keep the link in $_SESSION instead. Or restrict it to a particular domain, and just send the rest of the URL via POST

<? 
$lnk = $_POST[link]; 
echo ($lnk); echo"<br>"; 
echo"<iframe src =\"http://domain.com/" . str_replace('@','',$lnk) . "\" width=\"1000\" height=\"900\"></iframe>"; 
?>

[edit]

Yeah, I know about the XSS. That's why I stated "it really cant be secured.". Nevertheless, htmlspecialchars if you're still determined to do it this way.