Escape User-generated Content - What Does That Mean?

I am starting to use the Share button from Google. I am actually using the Share link, and at some point in the docs it says this: Note: Replace {URL} with the URL of the page you

Solution 1:

To escape something means that you convert possible harmful characters into something that is not harmful for the computer to translate.

For example:

url = "<script>doSomeNastyStuff();</script>";

is a possible harmful string of contents. Mainly because youre storing plain javascript somewhere in your application.

When escaping this you're basically turning this into something not harmful at all.

Example:

url = "\"\x3Cscript\x3EdoSomeNastyStuff();\x3C\x2Fscript\x3E\"";

Now you've turned the harmful script into normal characters and when printed or stored you will not have to worry about a harmful script being injected into your code.

Other examples of escaping characters is this

var sayHello = "Hello "world", as you like to call yourself";

Now, this unescaped in javascript code would produce an error because the string has been terminated and the word 'world' is now a variable and then a new string starts.

This is the same string escaped to allow for quotation marks.

var sayHello ="Hello \"world\", as you like to call yourself";

And it's perfectly valid!

What Dillen suggests is exactly the right way for you to solve your problem but I thought explaining the escaping method would be appropriate as well.

Solution 2:

You must URL encode your URL, you can do this with any programming language. For more information see: http://www.permadi.com/tutorial/urlEncoding/

Javascript

var url = encodeURIComponent("http://example.com");

PHP

$url = urlencode("http://example.com");

C#

var url = HttpUtility.UrlEncode("http://example.com");