One of the first rules of security is to never trust user data. However it is not uncommon that a website needs to allow a visitor to key in a url and that url needs to be used on an href of an anchor tag. I have such a situation and I have no control over what the visitor may submit for the url.
I need to be able to tell if the url submitted is a Cross Site Scripting (XSS) risk and if so not allow it's use in an href. Or alternatively, if the url is a XSS risk, then if there is some way to clean the url or render it safe for use in an href of a anchor tag, that'd be preferable.
I have done quite a bit of research on the topic and am aware of Best way to handle security and avoid XSS with user entered URLs and Should I sanitize HTML markup for a hosted CMS? here on SO but neither provide clear modern guidance. I have seen there and elsewhere references to http://code.google.com/p/owasp-esapi-dotnet/ but it's unclear if this library is current and even more unclear how to use it to do what I am asking.
The https://code.google.com/archive/p/owasp-esapi-dotnet/ page for example claims that the API docs for the owasap esapi dot net library are here: https://alexsmolen.com/dotnetesapidoc/index.html but the page returns an error about a missing key. Not something that instills confidence or provides info about the APIs available. Hmm. This page https://www.owasp.org/index.php/Category:OWASP_.NET_Project appears to be docs for OWASP related to .net but nowhere on the page does it mentions the esapi library.
How can I evaluate whether a given url is a XSS vulnerability and if it is a XSS vlnerability how can I clean it and use it safely in an href of a html anchor tag?
