What is the safe way to open URLs in the default browser?

Question

Basically I'm trying to open a URL in my .NET application. This can be achieved easily by doing :

Process.Start("http://www.google.com")

However in my case the URL can be controlled by external users, therefore I don't want them to execute commands in the system by injecting meta characters etc.

So safe way would be :

• Read registry and see what's the default browser
• Creating New Process() with the default browser's executable
• Supply the URL as argument
• Start the process

Before implementing this, I just want to be sure I'm not making this overcomplicated. What do you think?

I'm not keen on implementing filtering on the input, it's just a dirty solution

Answer 1

Why not instead make sure it's a valid HTTP url by parsing it?

Uri target = null;
if ( Uri.TryCreate(userSuppliedString, UriKind.Absolute, out target) &&
      (Uri.UriSchemeHttp == target.Scheme || Uri.UriSchemeHttps == target.Scheme) )
{
  // It's an URI that I can use 
  Process.Start(target.ToString());
}

Note that this example does not use the userSupplied string to create the process. It lets the Uri class format the string passed to the Start call.

You can extend the Scheme check to include all schemes that you feel are valid (FTP for instance).

Answer 2

I would rather validate the input. It should be easy with the Uri class.