I'm currently writing a PHP script for a guestbook in PHP where people can put their name, website and messages in a form, but I want to prevent someone from putting javascript:// in de url box to reduce the risk of XSS, I've tried to solve this with:
<?php filter_var($_POST['website'], FILTER_VALIDATE_URL) ?>
But I'm still able of putting javascript:// in de url box how could I prevent this?
with preg_replace
$website = preg_replace("/(javascript:\/\/)/i", "http://", mysql_real_escape_string($_POST['website']));
or with str_ireplace
$website = str_ireplace("javascript:", "http:", mysql_real_escape_string($_POST['website']));
$chk = parse_url($url);
switch ($chk['scheme']) {
case 'http':
case 'https':
break;
default:
// throw error here
break;
}
A clean solution would be using PHP's parse_url function and to check if the used protocol is HTTP or in a list of allowed protocols if you're allowing http:// and skype:// for example…
$url = 'http://username:password@hostname/path?arg=value#anchor';
$tmp = parse_url($url);
if ($tmp['scheme'] === 'http') {
echo 'is http://';
}
if (in_array($tmp['scheme'], array('http', 'skype', 'call')) {
echo 'is allowed protocol';
}