$regex = "_^(?:(?:https?|ftp)://)(?:\S+(?::\S*)?@)?(?:(?!10(?:\.\d{1,3}){3})(?!127(?:\.\d{1,3}){3})(?!169\.254(?:\.\d{1,3}){2})(?!192\.168(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)*(?:\.(?:[a-z\x{00a1}-\x{ffff}]{2,})))(?::\d{2,5})?(?:/[^\s]*)?$_iuS";
Where do i added my Expression [A-Za-z0-9.,/&=?:_+#%-] to allow only these specific characters to be used while keeping the form of the URL as it is made in $regex,
I've tried adding it at the beginning after _^ but it finds every URL an invalid url, That after removing the _ from the Expression too.
The $regex works ok and prevents weird urls like www..doma@$#n.#@om but when it comes to the part after that like
www.domain.com/<script>alert('Hacked')</script>, It just allows every single special character to be used, So i've decided to allow only Alphanumeric and . , / & = ? : _ + # % - since they're used in every URL.
