XSS is Possible in URL function #20

soaj1664 opened this Issue May 3, 2014 · 0 comments


None yet
2 participants

soaj1664 commented May 3, 2014


XSS is possible in URL function that is available here:

public static function url($data, $encode = false, $default = false){

The vector is:

The regular expression you are using happily parse the above vector and attacker can execute JavaScript. The easiest fix would be instead of having a-z and A-Z in regular expression ... It should be something like http or https ...

@frozeman frozeman added the Bug label Jun 10, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment