Index: wp-includes/pluggable.php
===================================================================
--- wp-includes/pluggable.php	(revision 25562)
+++ wp-includes/pluggable.php	(working copy)
@@ -455,6 +455,26 @@
 }
 endif;
 
+if( !function_exists('is_url') ) {
+	/**
+	 * Provides minimal validation that a string looks like a URL verifying only that it begins with http or https
+	 * Note that strings without dots (i.e. localhost) are considered valid RFC domain names so validation does 
+	 * not look for .com, .net, etc
+	 *
+	 * @since 3.0
+	 * @param string $url A URL to be validated. 
+	 * @return boolean
+	*/
+	function is_url( $url )
+	{
+		preg_match( '#http(s?)://(.+)#i', $url, $matches );
+		if( empty( $matches ) )
+			return false;
+			
+		return true;
+	}
+}
+
 if ( !function_exists('wp_authenticate') ) :
 /**
  * Checks a user's login information and logs them in if it checks out.
Index: wp-comments-post.php
===================================================================
--- wp-comments-post.php	(revision 25549)
+++ wp-comments-post.php	(working copy)
@@ -111,6 +111,10 @@
 
 $comment_type = '';
 
+if ( ! is_url ( $comment_author_url ) ) {
+	wp_die( __('<strong>ERROR</strong>: please enter a valid website address.') );
+}
+
 if ( get_option('require_name_email') && !$user->exists() ) {
 	if ( 6 > strlen($comment_author_email) || '' == $comment_author )
 		wp_die( __('<strong>ERROR</strong>: please fill the required fields (name, email).') );