How to block javascript:// as url parameter

Question

I'm currently writing a PHP script for a guestbook in PHP where people can put their name, website and messages in a form, but I want to prevent someone from putting javascript:// in de url box to reduce the risk of XSS, I've tried to solve this with:

<?php filter_var($_POST['website'], FILTER_VALIDATE_URL) ?>

But I'm still able of putting javascript:// in de url box how could I prevent this?

Answer 1

A clean solution would be using PHP's parse_url function and to check if the used protocol is HTTP or in a list of allowed protocols if you're allowing http:// and skype:// for example…

$url = 'http://username:password@hostname/path?arg=value#anchor';
$tmp = parse_url($url);

if ($tmp['scheme'] === 'http') {
  echo 'is http://';
}

if (in_array($tmp['scheme'], array('http', 'skype', 'call')) {
  echo 'is allowed protocol';
}

Answer 2

$chk = parse_url($url);

switch ($chk['scheme']) {
case 'http':
case 'https':
    break;
default:
    // throw error here
    break;
}

Answer 3

with preg_replace

$website = preg_replace("/(javascript:\/\/)/i", "http://", mysql_real_escape_string($_POST['website']));

or with str_ireplace

$website = str_ireplace("javascript:", "http:", mysql_real_escape_string($_POST['website']));