Closed
Description
Q | A |
---|---|
Bug report? | yes |
Feature request? | no |
BC Break report? | no |
RFC? | no |
Symfony version | 3.1.5 |
The URL validator (\Symfony\Component\Validator\Constraints\UrlValidator
) will not report a violation for the following URL
http://example.com/exploit.html?<script>alert(1);</script>
I believe the specification requires that <
and >
must be URL encoded.
In comparison, the filter_var()
will not reject the URL, but it returns a copy of the URL with everything from <
stripped.