|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54600 possible parse_url problem
Submitted: 2011-04-25 11:19 UTC Modified: 2011-05-29 11:02 UTC
Avg. Score:4.3 ± 0.9
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: tyra3l at gmail dot com Assigned:
Status: Not a bug Package: *URL Functions
PHP Version: 5.3.6 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
34 - 26 = ?
Subscribe to this entry?

 [2011-04-25 11:19 UTC] tyra3l at gmail dot com
I've just read this article:
there is an interesting part:
"According to Facebook, it turned out that some older code was using PHP’s 
built-in parse_url function to determine allowable URLs. For example, while 
parse_url(“javascript:alert(1)”) yields a scheme of “javascript” and a path of 
“alert(1)”, adding whitespace gives a different result: parse_url(” 
javascript:alert(1)”) does not return a scheme and has a path of 
“javascript:alert(1)”. Other PHP developers should take note of the difference 
if parse_url is being used in security-related code."

I know that the documentation mentions that "This function is not meant to 
validate the given URL, it only breaks it up into the above listed parts." but 
maybe we should do something to prevent people to misuse this function.

I see 4 option: 
- we should improve the code to strip whitespaces that would cause the function 
to return the same output for the forged url's
- we should change te code that the function never parse javascript: as scheme, 
this would prevent the people to use parse_url for this purpose, but judging 
from the article at least some code on facebook would fail insecurely for this 
- we should add more documentation about this issue, it can help, but I don't 
think that this would be the best fix.
- leave it as is, we documented that one should not use this for validation, we 
can't save people from their bad code. Personally I'm not supporting this 

What do you think?

Test script:
php -r 'var_dump(parse_url("javascript:alert(1)"));'

array(2) {
  string(10) "javascript"
  string(8) "alert(1)"

php -r 'var_dump(parse_url(" javascript:alert(1)"));'

array(1) {
  string(20) " javascript:alert(1)"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-05-29 11:02 UTC]
-Status: Open +Status: Bogus
 [2011-05-29 11:02 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

 [2011-05-29 12:26 UTC] tyra3l at gmail dot com
so it seems we are going with the last option: leave this as is.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jun 25 12:01:32 2024 UTC