Best way to handle security and avoid XSS with user entered URLs
If you think URLs can’t contain code, think again! https://owasp.org/www-community/xss-filter-evasion-cheatsheet Read that, and weep. Here’s how we do it on Stack Overflow: /// <summary> /// returns “safe” URL, stripping anything outside normal charsets for URL /// </summary> public static string SanitizeUrl(string url) { return Regex.Replace(url, @”[^-A-Za-z0-9+&@#/%?=~_|!:,.;\(\)]”, “”); }