Skip to content

URL is validated as true if contains brackets or apostrophe signs #338

New issue
New issue
Closed
#339
Closed
URL is validated as true if contains brackets or apostrophe signs#338
#339
Labels
upstreamIssue: Changes expected in upstream
@mquartus

Description

@mquartus
mquartus
opened on Mar 20, 2024

Hello,

I am not sure if this is the desired behaviour so I just wanted to check with you. We have had an issue that came up where we wanted to fix a valid cross-site scripting vulnerability in our web application code where the following malicious code – including apostrophe (') and a round bracket sign ( ) )– was injected:

https://example.org?q=search');alert(document.domain);

But when tried to use the validators.url() function it accepts the above as True :

>>> validators.url("https://example.org?q=search');alert(document.domain);")
True

Apparently this should not happen. The desired behaviour of the url() routine is would be False in this case. Do I overlook something or is the above accepted? Let me know if I am missing something or you need further information. My version of validators is 0.23.2 on Python 3.9.6 .

Thank you,
Miklos

Metadata

Metadata

Assignees

No one assigned

    Labels

    upstreamIssue: Changes expected in upstream

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions