diff --git a/Core/Model/AgenciaTransporte.php b/Core/Model/AgenciaTransporte.php
index e9c46baab1..2fbb3f9a1b 100644
--- a/Core/Model/AgenciaTransporte.php
+++ b/Core/Model/AgenciaTransporte.php
@@ -91,6 +91,13 @@ public function test(): bool
         $this->nombre = $utils->noHtml($this->nombre);
         $this->telefono = $utils->noHtml($this->telefono);
         $this->web = $utils->noHtml($this->web);
+
+        // check if the web is a valid url
+        if (!empty($this->web) && !filter_var($this->web, FILTER_VALIDATE_URL)) {
+            self::toolBox()::i18nLog()->error('invalid-web');
+            return false;
+        }
+
         return parent::test();
     }
 
diff --git a/Test/Core/Model/AgenciaTransporteTest.php b/Test/Core/Model/AgenciaTransporteTest.php
index 85455fdee0..0afbb36c87 100644
--- a/Test/Core/Model/AgenciaTransporteTest.php
+++ b/Test/Core/Model/AgenciaTransporteTest.php
@@ -52,6 +52,25 @@ public function testCreateWithNewCode()
         $this->assertTrue($agency->delete(), 'agency-cant-delete');
     }
 
+    public function testBadWeb()
+    {
+        $agency = new AgenciaTransporte();
+        $agency->codtrans = 'Test';
+        $agency->nombre = 'Test Agency';
+        $agency->web = 'javascript:alert(origin)';
+        $this->assertFalse($agency->save(), 'agency-can-save-bad-web');
+    }
+
+    public function testGoodWeb()
+    {
+        $agency = new AgenciaTransporte();
+        $agency->codtrans = 'Test';
+        $agency->nombre = 'Test Agency';
+        $agency->web = 'https://www.facturascripts.com';
+        $this->assertTrue($agency->save(), 'agency-cant-save-good-web');
+        $this->assertTrue($agency->delete(), 'agency-cant-delete');
+    }
+
     protected function tearDown(): void
     {
         $this->logErrors();