fix: check for critical schemes in url validation

f3-factory · Feb 13, 2022 · f185c66 · f185c66
1 parent a361ad4
commit f185c66
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/audit.php b/audit.php
@@ -36,7 +36,8 @@ class Audit extends Prefab {
 	*	@param $str string
 	**/
 	function url($str) {
-		return is_string(filter_var($str,FILTER_VALIDATE_URL));
+		return is_string(filter_var($str,FILTER_VALIDATE_URL))
+			&& !preg_match('/^(javascript|php):\/\/.*$/i', $str);
 	}
 
 	/**