how to tell link is safe and trusted

I am developing a PHP web application through Yii2 framework that enable the user to enter any link and display it within iframe I need to know

    is it safe for the web application and user to use this feature (iframe) with his own link
    how to avoid risks
    if the user has entered a link how to tell this link is safe and trusted
thank,
Ramy MohsenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
There isn't any way to tell.  If you display it in an iframe, your server code never sees that content because it gets loaded by the user's browser directly into the iframe.
Brittk McGheeCommented:
The most excellent proposal I can offer is to browse smart. That means you have to twice check the URL of your,social networking site, and e-mail site before you log in. Its very safe for web application uses this aspect.
Ramy MohsenAuthor Commented:
if the user has entered a link can I use a service to tell this link is safe and trusted  or not
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Learn More!
skijCommented:
You may be interested in this free service:
https://www.mywot.com/

It rates the safety of websites, based on user-submitted data and other factors.

It offers a free API which can be used with PHP to determine the safety of websites, based on their system:
https://www.mywot.com/en/api

The API is free for non-commercial use and allows up to 10 API requests per second and up to 25,000 API requests per day.
https://www.mywot.com/en/terms/api

Documentation about the API may be found here:
https://www.mywot.com/wiki/API

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
if the user has entered a link can I use a service to tell this link is safe and trusted  or not
No, you cannot.  Your strategy is risky and dangerous.  It should be avoided.  Here's why.

When you see the link, all you can know is the character string that makes up the URL.  You cannot know what is going to be loaded from that URL.  It can be "safe and trusted" one moment and "toxic and damaging" the next.  You have no control at all.  A client visit to the URL, which is caused by loading in the iframe or browser window, causes your browser to run JavaScript immediately and without warning.  What does the JavaScript contain?  You cannot know what the JavaScript will do to the client machine until the client runs the JavaScript code.

This is part of PHP Security.  There are well-documented standard practices that are necessary to keep users of your web site safe from one another.  You may also want to learn about OWASP and become involved.
Ray PaseurCommented:
Couple of thoughts about MyWOT.
https://safeweb.norton.com/reviews?url=mywot.com
https://www.facebook.com/Anti.W0T
http://www.sitejabber.com/reviews/www.mywot.com
I have no way to evaluate these claims, but "buyer beware."
skijCommented:
The only way to accomplish your objective is to use a third-party validation service.  I have used MyWOB for this and it meets my needs nicely.  Of course any popular service will have its haters, including this website!  I am not going to argue with Ray anymore about this, but I will say I have used the MyWOB API for three years with great results.

Here is a working prototype accomplishing the request made in your original post.  If you find that it blocks too many sites, you can lower the value of $sensitivity.
<?php

$sensitivity = 95;

if(empty($_POST['url'])) {

?>
<!DOCTYPE html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<title>Demo</title>
</head>
<body>

<h1>Hello</h1>

<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?>" method="post" target="f">
 URL: <input type="text" name="url" />
 <input type="submit" />
</form>

<div>
 <iframe width="80%" height="200" name="f"></iframe>
</div>

</body>
</html>
<?php
}
else {

$site = $_POST['url'];

$urlinfo = parse_url($site);
if (!isset($urlinfo['host'])) $urlinfo = parse_url('http://' . $site);

$host = preg_replace('/[^a-z0-9\-\.]/i', '', $urlinfo['host']);

$siteReport = json_decode(file_get_contents('http://api.mywot.com/0.4/public_link_json2?hosts='. $host .'/&key=59e026a43597840e5ddefba4d692be8212926801'));

if( !empty($siteReport->{$host}->categories->{'501'}) && $siteReport->{$host}->categories->{'501'} > $sensitivity ) {
 header('Location: ' . $urlinfo['scheme'] . '://' . $host . (empty($urlinfo['path']) ? '' : $urlinfo['path'])  . (empty($urlinfo['query']) ? '' : '?' . $urlinfo['query']), TRUE, 307);
 exit;
}
else {
  echo 'Bad Site!'; 
}

}

?>

Open in new window

Ramy MohsenAuthor Commented:
thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.