URL validation constraint allows angled brackets #21961
Labels
Comments
|
Confirmed. The following code reproduce the problem: <?php
use Symfony\Component\Validator\Constraints;
$validator = new Constraints\UrlValidator();
$const = new Constraints\Url();
// null instead of error because there is no context to build a violation
var_dump($validator->validate('http://example.com/exploit.html?<script>alert(1);</script>', $const));An easy test update is adding this URL here: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php#L149 The URI RFC reference that not all chars are supported Also this is an obvious problem for re-rending URLs in templating. |
fabpot
added a commit
that referenced
this issue
Mar 22, 2017
…s according to RFC 3986 (e-moe) This PR was submitted for the 3.2 branch but it was merged into the 2.7 branch instead (closes #22022). Discussion ---------- [Validator] fix URL validator to detect non supported chars according to RFC 3986 | Q | A | ------------- | --- | Branch? | 3.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #21961 | License | MIT | Doc PR | none Commits ------- 3599c47 [Validator] fix URL validator to detect non supported chars according to RFC 3986
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The URL validator (
\Symfony\Component\Validator\Constraints\UrlValidator) will not report a violation for the following URLI believe the specification requires that
<and>must be URL encoded.In comparison, the
filter_var()will not reject the URL, but it returns a copy of the URL with everything from<stripped.The text was updated successfully, but these errors were encountered: