URL validation constraint allows angled brackets #21961
Description
| Q | A |
|---|---|
| Bug report? | yes |
| Feature request? | no |
| BC Break report? | no |
| RFC? | no |
| Symfony version | 3.1.5 |
The URL validator (\Symfony\Component\Validator\Constraints\UrlValidator) will not report a violation for the following URL
http://example.com/exploit.html?<script>alert(1);</script>
I believe the specification requires that < and > must be URL encoded.
In comparison, the filter_var() will not reject the URL, but it returns a copy of the URL with everything from < stripped.