We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Url validator prone to XSS

\Phalcon\Validator\Validation\Url uses PHP internal function filter_var(), a function that, when validating url, is prone to XSS. Consider the following snippet:

    $url = 'https://phalcon.io/"><script>alert("I.AM.THE.COOKIE.MONSTER!\n\n\n"+document.cookie)</script>';

        $validation = new \Phalcon\Validation();
        $validation->add('url', new \Phalcon\Validation\Validator\Url());
        $messages = $validation->validate(array('url' => $url));

        if (0 === count($messages)) {
            echo '<a href="' . $url . '">Click here</a>';


edited Dec '14

A valid email address could do XSS or SQL injection if you output it as it is without proper escaping.

You need proper escaping when you output.

But I'm not sure https://phalcon.io/"><script>alert("I.AM.THE.COOKIE.MONSTER!\n\n\n"+document.cookie)</script> is really a vaild URL or not.