The fact, that filter_var($url, FILTER_VALIDATE_URL)
considers javascript://test%0Aalert(321)
valid is not a weakness. If you think it is, your expectations about what filter_var
is for are wrong.
filter_var($url, FILTER_VALIDATE_URL)
validates the syntax of a URL against RFC 2396.
It is not meant to determine whether the resource pointed to by the URL is accesssible.
It is not meant to determine whether it is safe to use the URL as the value of a
href
attribute in ana
element of a HTML document when the URL is provided by a user.It is not meant to consider the scheme (which may place restrictions on URLs that go beyond what is described in RFC 2396). For example while
ftp://foo:bar@baz
is a valid FTP URL according to RFC 1738, 3.2 FTP,http://foo:bar@baz
is not a valid HTTP URL according to RFC 2616, 3.2.2 http URL (even though some browsers can interpret such "URLs").
filter_var
does not bake cakes, nor does it brew coffee. If you require cake or coffee, use something else (RFC 2324 is a good start).
Depending on the circumstances, displaying a URL wich points to a resource that your server cannot access might be a good idea or a bad idea. Depending on the circumstances, displaying a URL that does not point to HTTP or HTTPS resource might be a good idea or a bad idea. One size does not fit all.