ID: 51050 Updated by: ras...@php.net Reported By: pecoes at gmail dot com Status: Bogus Bug Type: Filter related Operating System: WinXP PHP Version: 5.3.1 New Comment:
I guess we could state it more strongly somewhere, but it does say: Validation is used to validate or check if the data meets certain qualifications. For example, passing in FILTER_VALIDATE_EMAIL will determine if the data is a valid email address, but will not change the data itself. Sanitization will sanitize the data, so it may alter it by removing undesired characters. For example, passing in FILTER_SANITIZE_EMAIL will remove characters that are inappropriate for an email address to contain. That said, it does not validate the data. And just the name itself. VALIDATE_URL. There is nothing invalid about the URL in your example. Previous Comments: ------------------------------------------------------------------------ [2010-02-15 07:09:57] pecoes at gmail dot com Seriously? Well then it might be a good idea to add a warning label to the documentation, that successful validation does not protect from XSS attacks. ------------------------------------------------------------------------ [2010-02-15 07:00:44] j...@php.net validate != filter. There's nothing wrong in the url syntax so it's passed on. More in the manual: http://php.net/filter ------------------------------------------------------------------------ [2010-02-15 05:21:37] pecoes at gmail dot com Description: ------------ Look at the code and its result. How is that validation? Reproduce code: --------------- $url = 'http://example.org/";><script>alert(\'oops\');</script'; echo '<a href="', filter_var($url, FILTER_VALIDATE_URL), '">test</a>'; Expected result: ---------------- <a href="">test</a> Actual result: -------------- <a href="http://example.org/";><script>alert('oops');</script">test</a> ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=51050&edit=1
