The URL validator (\Symfony\Component\Validator\Constraints\UrlValidator) will not report a violation for the following URL

http://example.com/exploit.html?<script>alert(1);</script>

I believe the specification requires that < and > must be URL encoded.

In comparison, the filter_var() will not reject the URL, but it returns a copy of the URL with everything from < stripped.