- make it a url field: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.235_-_URL_Escape_Before_Inserting_Untrusted_Data_into_HTML_URL_Parameter_Values <del>\- don't want to put 3rd party images (they might change) --> change to www.google.com - don't want to send traffic to 3rd party</del>
- don't want to put 3rd party images (they might change) --> change to www.google.com