Url validator prone to XSS

\Phalcon\Validator\Validation\Url uses PHP internal function filter_var(), a function that, when validating url, is prone to XSS. Consider the following snippet:

    $url = 'http://phalconphp.com/"><script>alert("I.AM.THE.COOKIE.MONSTER!\n\n\n"+document.cookie)</script>';

        $validation = new \Phalcon\Validation();
        $validation->add('url', new \Phalcon\Validation\Validator\Url());
        $messages = $validation->validate(array('url' => $url));

        if (0 === count($messages)) {
            echo '<a href="' . $url . '">Click here</a>';
        }

COOKIE!



1.5k
edited Dec '14

A valid email address could do XSS or SQL injection if you output it as it is without proper escaping.

You need proper escaping when you output.

But I'm not sure http://phalconphp.com/"><script>alert("I.AM.THE.COOKIE.MONSTER!\n\n\n"+document.cookie)</script> is really a vaild URL or not.