Sometimes your Meteor application will need to store internal application links.

Maybe you want to save the last route a user visited, or maybe you want to associate notifications with a certain route within your application.

Storing URLs

It can be tempting to store these links as full URLs in your database and render them on the client as a simple anchor tag:

<a href="{{url}}">{{link}}</a>

Don’t give into temptation! This kind of linking can be a source of danger for your users.

If a malicious user has control over the URL inserted into the database, they can link other users of your application to potentially dangerous third-party websites.

For example, an attacker could manually create a new notification and provide their own URL:

Notifications.insert({
  link: "Error dectected - please fix!",
  url: "http://www.evil-website.com"
});

Other users might see this “Error detected - please fix!” link, click it, and be redirected to http://www.evil-website.com.

Evil Website® might attempt to deceive them, extract some information from them, or even be used as a vehicle for exploiting a Cross Site Request Forgery (CSRF) vulnerability on another website.

Storing Routes

Rather than storing the entire URL in your database, only store the information necessary to recreate the URL on the client.

For example, when using Iron Router (or Flow Router), it would be sufficient to simply store the route name in your database. On the client, you could use the pathFor helper to construct the link:

<a href="{{pathFor route}}">{{link}}</a>

Similarly, in-application links can be built using the <Link> React component if your application is using React Router:

<Link to=`${route}`>{link}</Link>

Building dynamic internal links like this is a much safer alternative to using raw anchor tags. It prevents attackers from potentially linking other users of your application to malicious third-party websites.