Description
Hello,
I am not sure if this is the desired behaviour so I just wanted to check with you. We have had an issue that came up where we wanted to fix a valid cross-site scripting vulnerability in our web application code where the following malicious code – including apostrophe (') and a round bracket sign ( ) )– was injected:
https://example.org?q=search');alert(document.domain);
But when tried to use the validators.url() function it accepts the above as True :
>>> validators.url("https://example.org?q=search');alert(document.domain);")
True
Apparently this should not happen. The desired behaviour of the url() routine is would be False in this case. Do I overlook something or is the above accepted? Let me know if I am missing something or you need further information. My version of validators is 0.23.2 on Python 3.9.6 .
Thank you,
Miklos