I want to store users' personal urls as plain text, encoded by htmlspecialchars().

我想将用户的个人 url 存储为纯文本，由 htmlspecialchars() 编码。

Then I would retrieve this data and generate and display a link, as follows:

然后我将检索这些数据并生成并显示一个链接，如下所示：

echo '<a href="'.$retrieved_string.'" target="_blank">';

And yet, even with encoded special chars and quotes, the href may not be safe, due to the potentially inserted javascript, example of a bad link:

然而，即使使用编码的特殊字符和引号，href 也可能不安全，因为可能插入了 javascript，例如错误链接：

javascript:alert(document.cookie);

So what I'm thinking is to strip up for a potential 'javascript' tag (before I do the special chars encode of course), as follows:

所以我在想的是去掉一个潜在的“javascript”标签（当然在我做特殊字符编码之前），如下所示：

preg_replace('/^javascript:?/', '', $submitted_and_trimmed_input);

So let us sum it up altogether:

所以让我们总结一下：

$input=htmlspecialchars(preg_replace('/^javascript:?/', '', trim($_POST['link'])),11,'UTF-8',true);
mysql_query("update users set link='".mysql_real_escape_string($input)."'");

//And retrieving:

$query=mysql_query("select link from users");
$a=mysql_fetch_assoc($query);
echo '<a href="'.$a['link'].'" target="_blank">';

Now the question is, would it be enough to an url link safe, or is there any other potential surprises I should be alert against?

现在的问题是，它是否足以使 url 链接安全，或者是否还有其他任何我应该警惕的潜在意外？

EDIT:

编辑：

I've read a bit about filter_var() and it seems to utterly fail in many ways. It doesn't validate international domains with unicode chars, then again the following string successfully passes the test:

我已经阅读了一些关于 filter_var() 的内容，它似乎在很多方面都完全失败了。它不使用 unicode 字符验证国际域，然后以下字符串再次成功通过测试：

http://example.com/"><script>alert(document.cookie)</script>

• I mean common... that's just rediculous, there must be a better way

• 我的意思是普通……那太可笑了，一定有更好的方法