jBBCode icon indicating copy to clipboard operation
jBBCode copied to clipboard

Published 20 hours ago verified publisher icon jbowens

URL Validator does not work with Protocol-relative URLs

Open cstdenis opened this issue 9 years ago • 1 comments

Somewhat related to #40

Links and images can not be used with Protocol-relative URLs because FILTER_VALIDATE_URL is too strict.

"JavaScript:alert()" style URLs also will not work for this reason, tho that is probably for the best for safety reasons.

cstdenis avatar Jul 05 '15 03:07 cstdenis

Simple, somewhat hacky, workaround to the issue. Not certain if it's safe, but can't see any case where it could allow anything malicious.

    public function validate($input)
    {
        $valid = filter_var($input, FILTER_VALIDATE_URL);

+      // Simple workaround for protocol relative urls.
+      // If sticking a protocol on the front makes it valid, assume it's valid
+      if(!$valid)
+          $valid = filter_var('http:'.$input, FILTER_VALIDATE_URL);

        return !!$valid;
    }

cstdenis avatar Jul 05 '15 04:07 cstdenis