XSS Filter Failure in isURL (2.0)

[aileen]

I know, issue #605 is closed, but I found a similar issue (this time for real):

A URL like https://example.com/foo/<script>alert('XSS')</script>/ is a valid URL in terms of validator.isURL().

Is there a chance to fix this?

Version 6.2.0

[chriso]

RFC 3986 states:

path = ( "/" segment )
pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "" / "+" / "," / ";" / "="

RFC 1738 states:

The characters "<" and ">" are unsafe because they are used as the delimiters around URLs in free text.

RFC 3987 says that < and > are not allowed.

tl;dr (, ) and ' are ok, but < and > are not.

I can fix this, but in general you should not be relying on the validator to suppress XSS attacks.

[aileen]

Yeah, I see... Will not rely on the validator only.

Just wanted to point it out here! 😊

Thanks, tho!

[chriso]

Fixed in 6.2.1

[aileen]

Wow! Awesome!