René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"URL is validated as true if contains brackets or apostrophe signs","articleBody":"Hello, \r\n\r\nI am not sure if this is the desired behaviour so I just wanted to check with you. We have had an issue that came up where we wanted to fix a valid cross-site scripting vulnerability in our web application code where the following malicious code – including apostrophe (`'`) and a round bracket sign ( `)` )– was injected:\r\n\r\n`https://example.org?q=search');alert(document.domain);`\r\n\r\nBut when tried to use the `validators.url()` function it accepts the above as _True_ :\r\n\r\n```\r\n\u003e\u003e\u003e validators.url(\"https://example.org?q=search');alert(document.domain);\")\r\nTrue\r\n```\r\n\r\nApparently this should not happen. The desired behaviour of the `url()` routine is would be _False_ in this case. Do I overlook something or is the above accepted? Let me know if I am missing something or you need further information. My version of validators is 0.23.2 on Python 3.9.6 . \r\n\r\nThank you, \r\nMiklos","author":{"url":"https://github.com/mquartus","@type":"Person","name":"mquartus"},"datePublished":"2024-03-20T12:11:49.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/338/validators/issues/338"}