ID: 51050
Updated by: [email protected]
Reported By: pecoes at gmail dot com
Status: Bogus
Bug Type: Filter related
Operating System: WinXP
PHP Version: 5.3.1
New Comment:
What you are after is a filter for the html-context. There is nothing
wrong with your URL. You only have an issue with it if you use it in
an HTML context. It is your target context you should be filtering
for. The URL sanitizer is very explicitly documented as:
Remove all characters except letters, digits and $-
_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.
Have a look through:
http://php.net/manual/en/filter.filters.sanitize.php
What you are looking for is FILTER_SANITIZE_SPECIAL_CHARS
Previous Comments:
------------------------------------------------------------------------
[2010-02-15 07:20:03] pecoes at gmail dot com
Okay, I accept that the URL I posted, is valid. But it deserves
pointing out that valid does NOT mean safe.
Btw FILTER_SANITIZE_URL has the same effect on this URL.
------------------------------------------------------------------------
[2010-02-15 07:14:17] [email protected]
I guess we could state it more strongly somewhere, but it does say:
Validation is used to validate or check if the data meets certain
qualifications. For example, passing in FILTER_VALIDATE_EMAIL will
determine if the data is a valid email address, but will not change the
data itself.
Sanitization will sanitize the data, so it may alter it by removing
undesired characters. For example, passing in FILTER_SANITIZE_EMAIL
will remove characters that are inappropriate for an email address to
contain. That said, it does not validate the data.
And just the name itself. VALIDATE_URL. There is nothing invalid about
the URL in your example.
------------------------------------------------------------------------
[2010-02-15 07:09:57] pecoes at gmail dot com
Seriously? Well then it might be a good idea to add a warning label to
the documentation, that successful validation does not protect from XSS
attacks.
------------------------------------------------------------------------
[2010-02-15 07:00:44] [email protected]
validate != filter. There's nothing wrong in the url syntax so it's
passed on. More in the manual: http://php.net/filter
------------------------------------------------------------------------
[2010-02-15 05:21:37] pecoes at gmail dot com
Description:
------------
Look at the code and its result. How is that validation?
Reproduce code:
---------------
$url = 'http://example.org/";><script>alert(\'oops\');</script';
echo '<a href="', filter_var($url, FILTER_VALIDATE_URL), '">test</a>';
Expected result:
----------------
<a href="">test</a>
Actual result:
--------------
<a href="http://example.org/";><script>alert('oops');</script">test</a>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=51050&edit=1
