8000 [Validator] fix URL validator to detect non supported chars according… · symfony/symfony@cde8557 · GitHub
[go: up one dir, main page]
Skip to content

Commit cde8557

Browse files
e-moee-moe
committed
[Validator] fix URL validator to detect non supported chars according to RFC 3986
1 parent b0f8a7f commit cde8557

File tree

2 files changed

+7
-1
lines changed

2 files changed

+7
-1
lines changed

src/Symfony/Component/Validator/Constraints/UrlValidator.php

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,9 @@ class UrlValidator extends ConstraintValidator
3333
\] # an IPv6 address
3434
)
3535
(:[0-9]+)? # a port (optional)
36-
(/?|/\S+|\?\S*|\#\S*) # a /, nothing, a / with something, a query or a fragment
36+
(?:/ (?:[\pL\pN\-._\~!$&\'()*+,;=:@]|%%[0-9A-Fa-f]{2})* )* # a path
37+
(?:\? (?:[\pL\pN\-._\~!$&\'()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )? # a query (optional)
38+
(?:\# (?:[\pL\pN\-._\~!$&\'()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )? # a fragment (optional)
3739
$~ixu';
3840

3941
/**

src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,7 @@ public function getValidUrls()
123123
array('http://symfony.com#'),
124124
array('http://symfony.com#fragment'),
125125
array('http://symfony.com/#fragment'),
126+
array('http://symfony.com/#one_more%20test'),
126127
);
127128
}
128129

@@ -163,6 +164,9 @@ public function getInvalidUrls()
163164
array('http://:password@@symfony.com'),
164165
array('http://username:passwordsymfony.com'),
165166
array('http://usern@me:password@symfony.com'),
167+
array('http://example.com/exploit.html?<script>alert(1);</script>'),
168+
array('http://example.com/exploit.html?hel lo'),
169+
array('http://example.com/exploit.html?not_a%hex'),
166170
);
167171
}
168172

0 commit comments

Comments
 (0)
0