here I am baffled as to why FILTER_SANITIZE_URL in var_dump returns a wrong string length and doesnt remove the tags such as . this happenes in all filter_var Predefined Filter Constants. is this a bug or there is a logic behind it?
I am using PHP 5.4 because I have to, our servers run on it. let me demonstarte. I have this URL:
$url = 'http://www.example.com/index.php?a=1&b=2&c=3&d=some%20string';
if I sanitise it and var_dump it:
var_dump(filter_var($url, FILTER_SANITIZE_URL));
it will return:
string(60) "http://www.example.com/index.php?a=1&b=2&c=3&d=some%20string"
NOW if I put malicious code in URL
$url = 'http://www.example.com/index.php?
<script>
function myFunction() {
var x = "<?php echo $var; ?>";
alert(x);
}
</script>a=1&b=2&c=3&d=some%20string';
same code: var_dump(filter_var($url, FILTER_SANITIZE_URL));
will return this:
string(132) "http://www.example.com/index.php?a=1&b=2&c=3&d=some%20string"
Pay attention to the type and length of returned var. 72 characters more than the previous but clearly the string is still 60 characters long. why does var_dump or filter_var behave in such manners please? if it is a bug has this been fixed. as I record these type of data I need this function to return exact number of characters.
FILTER_SANITIZE_URLremoved all unnecessary characters from the URL, including spaces, if you check view source it showsWhy return 132 characters?
Because
<script>tag and inner code also included as a string. FILTER_SANITIZE_URL does not remove tags it just removes spaces and This filter allows all letters, digits andto remove malicious code use other functions such as
strip_tags().If code included as string then why not display?
Because you are using var_dump and checking result on browser, and you can not view any code inside
<script>tag on browser until unless go to page view source.If you remove
<script>tag, what should be happened?If you removed
<script>tag, than it will show following:17 characters of
<script></script>should be removed.