I have this url for testing
http://localhost:8000/2.php?site=https://google.com<script></script>
Then I am sanitizing "site":
$site = filter_input(INPUT_GET, 'site', FILTER_SANITIZE_URL);
var_dump($site); // string(35) "https://google.com"
echo "<br>";
Getting absolutely safe url. Then validating it:
$siteValidation = filter_var($site, FILTER_VALIDATE_URL);
var_dump($siteValidation); // bool(false)
And validation fails! Why?
CodePudding user response:
As you can read here, FILTER_SANITIZE_URL does not remove < or > from the string. That's why you see printed:
string(35) "https://google.com"
Clearly the string you see is not 35 chars long (inspect via developer tools in browser and you'll see the "script" part is still there).
That's why next lines fail to validate.