cstdenis
commented
9 years ago Simple, somewhat hacky, workaround to the issue. Not certain if it's safe, but can't see any case where it could allow anything malicious.
public function validate($input)
{
$valid = filter_var($input, FILTER_VALIDATE_URL);
+ // Simple workaround for protocol relative urls.
+ // If sticking a protocol on the front makes it valid, assume it's valid
+ if(!$valid)
+ $valid = filter_var('http:'.$input, FILTER_VALIDATE_URL);
return !!$valid;
}
Somewhat related to #40
Links and images can not be used with Protocol-relative URLs because FILTER_VALIDATE_URL is too strict.
"JavaScript:alert()" style URLs also will not work for this reason, tho that is probably for the best for safety reasons.