ID: 51050 User updated by: pecoes at gmail dot com Reported By: pecoes at gmail dot com Status: Bogus Bug Type: Filter related Operating System: WinXP PHP Version: 5.3.1 New Comment:
Seriously? Well then it might be a good idea to add a warning label to the documentation, that successful validation does not protect from XSS attacks. Previous Comments: ------------------------------------------------------------------------ [2010-02-15 07:00:44] j...@php.net validate != filter. There's nothing wrong in the url syntax so it's passed on. More in the manual: http://php.net/filter ------------------------------------------------------------------------ [2010-02-15 05:21:37] pecoes at gmail dot com Description: ------------ Look at the code and its result. How is that validation? Reproduce code: --------------- $url = 'http://example.org/";><script>alert(\'oops\');</script'; echo '<a href="', filter_var($url, FILTER_VALIDATE_URL), '">test</a>'; Expected result: ---------------- <a href="">test</a> Actual result: -------------- <a href="http://example.org/";><script>alert('oops');</script">test</a> ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=51050&edit=1
