$sanitizer->url() method

Sanitize and validate given URL or return blank if it can’t be made valid

  • Performs some basic sanitization like adding a scheme to the front if it's missing, but leaves alone local/relative URLs.
  • URL is not required to conform to ProcessWire conventions unless a relative path is given.
  • Please note that URLs should always be entity encoded in your output. Many evil things are technically allowed in a valid URL, so your output should always entity encoded any URLs that came from user input.

Example

$url = $sanitizer->url('processwire.com/api/'); 
echo $sanitizer->entities($url); // outputs: http://processwire.com/api/

Usage

// basic usage
$string = $sanitizer->url(string $value);

// usage with all arguments
$string = $sanitizer->url(string $value, $options = []);

Arguments

NameType(s)Description
valuestring

URL to validate

options (optional)bool, array

Array of options to modify default behavior, including:

  • allowRelative (boolean): Whether to allow relative URLs, i.e. those without domains (default=true).
  • allowIDN (boolean): Whether to allow internationalized domain names (default=false).
  • allowQuerystring (boolean): Whether to allow query strings (default=true).
  • allowSchemes (array): Array of allowed schemes, lowercase (default=[] any).
  • disallowSchemes (array): Array of disallowed schemes, lowercase (default=['file']).
  • requireScheme (bool): Specify true to require a scheme in the URL, if one not present, it will be added to non-relative URLs (default=true).
  • convertEncoded (boolean): Convert most encoded hex characters characters (i.e. “%2F”) to non-encoded? (default=true)
  • encodeSpace (boolean): Encoded space to “%20” or allow “%20“ in URL? Only useful if convertEncoded is true. (default=false)
  • stripTags (bool): Specify false to prevent tags from being stripped (default=true).
  • stripQuotes (bool): Specify false to prevent quotes from being stripped (default=true).
  • maxLength (int): Maximum length in bytes allowed for URLs (default=4096).
  • throw (bool): Throw exceptions on invalid URLs (default=false).

Return value

string

Returns a valid URL or blank string if it can't be made valid.

Exceptions

Method can throw exceptions on error:

  • WireException - on invalid URLs, only if $options['throw'] is true.


$sanitizer methods and properties

API reference based on ProcessWire core version 3.0.125

Twitter updates

  • New post: This week we take a look at what’s in ProcessWire 3.0.126 which focuses largely on resolving issue reports, but also includes a handy new Page if() method— More
    15 February 2019
  • New post: ProcessWire 3.0.125 has several useful new Sanitizer methods & options, plus new ways to access them directly from the Input API variable. This makes handling user input even easier than before. Plus updates to our i18n functions & API docs— More
    25 January 2019
  • New post: In this week’s post, we’ll take a look a look at the new website and focus on some parts of it and how they were built. Then we’ll dive into the latest version of ProcessWire on the dev branch, version 3.0.124— More
    11 January 2019

Latest news

  • ProcessWire Weekly #249
    In the 249th issue of ProcessWire Weekly we're going to walk you through the latest core updates (ProcessWire 3.0.126), introduce a new third party module called Page Access Releasetime, and pick a new site of the week. Read on!
    Weekly.pw / 16 February 2019
  • ProcessWire 3.0.126 core updates
    This week we take a look at what’s in ProcessWire 3.0.126 which focuses largely on resolving issue reports, but also includes a handy new $page->if() method. 
    Blog / 15 February 2019
  • Subscribe to weekly ProcessWire news

“ProcessWire is like a breath of fresh air. So powerful yet simple to build with and customise, and web editors love it too.” —Margaret Chatwin, Web developer