Url validator prone to XSS

Question

Url validator prone to XSS

heptagono Dec '14

Created Dec '14	Last Reply Dec '14	Replies 1	Views 915	Votes 0

heptagono 11.2k

Dec '14

\Phalcon\Validator\Validation\Url uses PHP internal function filter_var(), a function that, when validating url, is prone to XSS. Consider the following snippet:

    $url = 'https://phalcon.io/"><script>alert("I.AM.THE.COOKIE.MONSTER!\n\n\n"+document.cookie)</script>';

        $validation = new \Phalcon\Validation();
        $validation->add('url', new \Phalcon\Validation\Validator\Url());
        $messages = $validation->validate(array('url' => $url));

        if (0 === count($messages)) {
            echo '<a href="' . $url . '">Click here</a>';
        }

COOKIE!

kenjis · Answer 1 · 2014-12-30T20:06:58-07:00

A valid email address could do XSS or SQL injection if you output it as it is without proper escaping.

You need proper escaping when you output.

But I'm not sure https://phalcon.io/"><script>alert("I.AM.THE.COOKIE.MONSTER!\n\n\n"+document.cookie)</script> is really a vaild URL or not.