ansaurus

Question

PHP filter_var for a URL against XSS attacks

Answer 1

+1 A:

~~There's this built-in filter:~~

filter_var($url, FILTER_VALIDATE_URL);

This will return false with your example URL. If it were valid, it would return $url. Example:

glopes@nebm:~$ php -r "var_dump(filter_var('http://blah.com\"onclick=\"alert(document.cookie)', FILTER_VALIDATE_URL));"
bool(false)

Anyway, the solution to prevent XSS is to use htmlspecialchars. Since it's an attribute, you should use ENT_QUOTES:

htmlspecialchars($data, ENT_QUOTES);

But you should also validate the URL, because otherwise the user can include javascript:-like "URLs".

Artefacto 2010-07-15 10:09:58

read my code :-/

fire 2010-07-15 10:10:30

Ah sorry, the line was too long and I didn't read that part. But anyway, it does return false.

Artefacto 2010-07-15 10:12:25

That's strange what happens when you run http://pastebin.com/9Yvg7Gqn for me its dumping as bool(true) ??

fire 2010-07-15 10:15:58

@fire Nop, gives `false` on both the latest 5.2 and 5.3: http://codepad.viper-7.com/gt5udu

Artefacto 2010-07-15 10:20:04

Weird I am getting true on 5.2.6

fire 2010-07-15 10:27:45

@fire Look for FILTER_VALIDATE_URL in http://php.net/ChangeLog-5.php

Artefacto 2010-07-15 10:33:40

those changelog bastards!

fire 2010-07-15 10:43:37

It was fixed around Christmas 2009 which means only releases after that date will do the validation on the host part of the URL: that means 5.2.13/5.3.2 or newer.

salathe 2010-07-15 11:36:42

ansaurus

tags:

views:

answers:

PHP filter_var for a URL against XSS attacks

related questions