Index: /Users/aaron/Sites/wp-includes/formatting.php
===================================================================
--- /Users/aaron/Sites/wp-includes/formatting.php	(revision 14218)
+++ /Users/aaron/Sites/wp-includes/formatting.php	(working copy)
@@ -2435,8 +2435,22 @@
 			break;
 
 		case 'siteurl':
+			$value = esc_url_raw($value);
+			if ( !is_url( $value ) )
+			{
+				$value = get_option( $option ); // Resets option to stored val in case of empty
+				if( function_exists('add_settings_error') )
+					add_settings_error('siteurl', 'invalid_siteurl', __('The WordPress address you submitted was not in the right format. Please enter a valid URL.'));
+			}
+			break;
 		case 'home':
 			$value = esc_url_raw($value);
+			if ( !is_url( $value ) )
+			{
+				$value = get_option( $option ); // Resets option to stored val in case of empty
+				if( function_exists('add_settings_error') )
+					add_settings_error('home', 'invalid_home', __('The Site address you submitted was not in the right format. Please enter a valid URL.'));
+			}
 			break;
 		default :
 			$value = apply_filters("sanitize_option_{$option}", $value, $option);
Index: /Users/aaron/Sites/wp-includes/pluggable.php
===================================================================
--- /Users/aaron/Sites/wp-includes/pluggable.php	(revision 14218)
+++ /Users/aaron/Sites/wp-includes/pluggable.php	(working copy)
@@ -1749,3 +1749,24 @@
 	return $r;
 }
 endif;
+
+if( !function_exists('is_url') )
+{
+	/**
+	 * Provides minimal validation that a string looks like a URL verifying only that it begins with http or https
+	 * Note that strings without dots (i.e. localhost) are considered valid RFC domain names so validation does 
+	 * not look for .com, .net, etc
+	 *
+	 * @since 3.0
+	 * @param string $url A URL to be validated. 
+	 * @return boolean
+	*/
+	function is_url( $url )
+	{
+		preg_match( '#http(s?)://(.+)#i', $url, $matches );
+		if( empty( $matches ) )
+			return false;
+			
+		return true;
+	}
+}
\ No newline at end of file