Skip to content

URL validation constraint allows angled brackets #21961

@courtney-miles

Description

@courtney-miles
Q A
Bug report? yes
Feature request? no
BC Break report? no
RFC? no
Symfony version 3.1.5

The URL validator (\Symfony\Component\Validator\Constraints\UrlValidator) will not report a violation for the following URL

http://example.com/exploit.html?<script>alert(1);</script>

I believe the specification requires that < and > must be URL encoded.

In comparison, the filter_var() will not reject the URL, but it returns a copy of the URL with everything from < stripped.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions