ID: 51050 User updated by: pecoes at gmail dot com Reported By: pecoes at gmail dot com Status: Bogus Bug Type: Filter related Operating System: WinXP PHP Version: 5.3.1 New Comment:
Personally, I don't like sanitizing. I prefer to either accept or reject. I don't think modifying a user's input is a good idea. How about adding an optional FILTER_FLAG_ALLOW_SPECIAL_CHARS to FILTER_VALIDATE_URL? Or an optional FILTER_FLAG_DISALLOW_SPECIAL_CHARS, if that's what you prefer... Because, you know, using URLs in an HTML context is not such an exotic scenario. :0) Previous Comments: ------------------------------------------------------------------------ [2010-02-15 07:26:07] [email protected] What you are after is a filter for the html-context. There is nothing wrong with your URL. You only have an issue with it if you use it in an HTML context. It is your target context you should be filtering for. The URL sanitizer is very explicitly documented as: Remove all characters except letters, digits and $- _.+!*'(),{}|\\^~[]`<>#%";/?:@&=. Have a look through: http://php.net/manual/en/filter.filters.sanitize.php What you are looking for is FILTER_SANITIZE_SPECIAL_CHARS ------------------------------------------------------------------------ [2010-02-15 07:20:03] pecoes at gmail dot com Okay, I accept that the URL I posted, is valid. But it deserves pointing out that valid does NOT mean safe. Btw FILTER_SANITIZE_URL has the same effect on this URL. ------------------------------------------------------------------------ [2010-02-15 07:14:17] [email protected] I guess we could state it more strongly somewhere, but it does say: Validation is used to validate or check if the data meets certain qualifications. For example, passing in FILTER_VALIDATE_EMAIL will determine if the data is a valid email address, but will not change the data itself. Sanitization will sanitize the data, so it may alter it by removing undesired characters. For example, passing in FILTER_SANITIZE_EMAIL will remove characters that are inappropriate for an email address to contain. That said, it does not validate the data. And just the name itself. VALIDATE_URL. There is nothing invalid about the URL in your example. ------------------------------------------------------------------------ [2010-02-15 07:09:57] pecoes at gmail dot com Seriously? Well then it might be a good idea to add a warning label to the documentation, that successful validation does not protect from XSS attacks. ------------------------------------------------------------------------ [2010-02-15 07:00:44] [email protected] validate != filter. There's nothing wrong in the url syntax so it's passed on. More in the manual: http://php.net/filter ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/51050 -- Edit this bug report at http://bugs.php.net/?id=51050&edit=1
