Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 3599c47

Browse filesBrowse files
e-moefabpot
e-moe
authored and
fabpot
committed
[Validator] fix URL validator to detect non supported chars according to RFC 3986
1 parent 2240ecf commit 3599c47
Copy full SHA for 3599c47

File tree

2 files changed

+7
-1
lines changed
Filter options

2 files changed

+7
-1
lines changed

‎src/Symfony/Component/Validator/Constraints/UrlValidator.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Validator/Constraints/UrlValidator.php
+3-1Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,9 @@ class UrlValidator extends ConstraintValidator
3434
\] # an IPv6 address
3535
)
3636
(:[0-9]+)? # a port (optional)
37-
(/?|/\S+|\?\S*|\#\S*) # a /, nothing, a / with something, a query or a fragment
37+
(?:/ (?:[\pL\pN\-._\~!$&\'()*+,;=:@]|%%[0-9A-Fa-f]{2})* )* # a path
38+
(?:\? (?:[\pL\pN\-._\~!$&\'()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )? # a query (optional)
39+
(?:\# (?:[\pL\pN\-._\~!$&\'()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )? # a fragment (optional)
3840
$~ixu';
3941

4042
/**

‎src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php
+4Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -128,6 +128,7 @@ public function getValidUrls()
128128
array('http://symfony.com#'),
129129
array('http://symfony.com#fragment'),
130130
array('http://symfony.com/#fragment'),
131+
array('http://symfony.com/#one_more%20test'),
131132
);
132133
}
133134

@@ -167,6 +168,9 @@ public function getInvalidUrls()
167168
array('http://:password@@symfony.com'),
168169
array('http://username:passwordsymfony.com'),
169170
array('http://usern@me:password@symfony.com'),
171+
array('http://example.com/exploit.html?<script>alert(1);</script>'),
172+
array('http://example.com/exploit.html?hel lo'),
173+
array('http://example.com/exploit.html?not_a%hex'),
170174
);
171175
}
172176

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.