symfony
diff --git a/‎src/Symfony/Component/Validator/Constraints/UrlValidator.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Validator/Constraints/UrlValidator.php
+7-5Lines changed: 7 additions & 5 deletions b/‎src/Symfony/Component/Validator/Constraints/UrlValidator.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Validator/Constraints/UrlValidator.php
+7-5Lines changed: 7 additions & 5 deletions
diff --git a/‎src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php
+1Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php
+1Lines changed: 1 addition & 0 deletions
@@ -20,8 +20,8 @@
  */
 class UrlValidator extends ConstraintValidator
 {
-    const PATTERN = '~^
-            (%s)://                                 # protocol
+    const PATTERN = '<^
+            (%protocol%)://                         # protocol
             (([\pL\pN-]+:)?([\pL\pN-]+)@)?          # basic auth
             (
                 ([\pL\pN\pS-\.])+(\.?([\pL\pN]|xn\-\-[\pL\pN-]+)+\.?) # a domain name
@@ -33,8 +33,10 @@ class UrlValidator extends ConstraintValidator
                 \]  # an IPv6 address
             )
             (:[0-9]+)?                              # a port (optional)
-            (/?|/\S+|\?\S*|\#\S*)                   # a /, nothing, a / with something, a query or a fragment
-        $~ixu';
+            (?:/ (?:[\pL\pN\-._~!$&\'()*+,;=:@]|%[0-9A-Fa-f]{2})* )*      # a path
+            (?:\? (?:[\pL\pN\-._~!$&\'()*+,;=:@/?]|%[0-9A-Fa-f]{2})* )?   # a query (optional)
+            (?:\# (?:[\pL\pN\-._~!$&\'()*+,;=:@/?]|%[0-9A-Fa-f]{2})* )?   # a fragment (optional)
+        $>ixu';
 
     /**
      * {@inheritdoc}
@@ -58,7 +60,7 @@ public function validate($value, Constraint $constraint)
             return;
         }
 
-        $pattern = sprintf(static::PATTERN, implode('|', $constraint->protocols));
+        $pattern = str_replace('%protocol%', implode('|', $constraint->protocols), static::PATTERN);
 
         if (!preg_match($pattern, $value)) {
             $this->context->buildViolation($constraint->message)
 
@@ -163,6 +163,7 @@ public function getInvalidUrls()
             array('http://:password@@symfony.com'),
             array('http://username:passwordsymfony.com'),
             array('http://usern@me:password@symfony.com'),
+            array('http://example.com/exploit.html?<script>alert(1);</script>'),
         );
     }
Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,7 @@ public function getInvalidUrls()`
`163`	`163`	`array('http://:password@@symfony.com'),`
`164`	`164`	`array('http://username:passwordsymfony.com'),`
`165`	`165`	`array('http://usern@me:password@symfony.com'),`
	`166`	`+ array('http://example.com/exploit.html?<script>alert(1);</script>'),`
`166`	`167`	`);`
`167`	`168`	`}`
`168`	`169`