$sanitizer->url() method

Sanitize and validate given URL or return blank if it can’t be made valid

  • Performs some basic sanitization like adding a scheme to the front if it's missing, but leaves alone local/relative URLs.
  • URL is not required to conform to ProcessWire conventions unless a relative path is given.
  • Please note that URLs should always be entity encoded in your output. Many evil things are technically allowed in a valid URL, so your output should always entity encoded any URLs that came from user input.

Example

$url = $sanitizer->url('processwire.com/api/'); 
echo $sanitizer->entities($url); // outputs: http://processwire.com/api/

Usage

// basic usage
$string = $sanitizer->url(string $value);

// usage with all arguments
$string = $sanitizer->url(string $value, $options = []);

Arguments

NameType(s)Description
valuestring

URL to validate

options (optional)bool, array

Array of options to modify default behavior, including:

  • allowRelative (boolean): Whether to allow relative URLs, i.e. those without domains (default=true).
  • allowIDN (boolean): Whether to allow internationalized domain names (default=false).
  • allowQuerystring (boolean): Whether to allow query strings (default=true).
  • allowSchemes (array): Array of allowed schemes, lowercase (default=[] any).
  • disallowSchemes (array): Array of disallowed schemes, lowercase (default=['file']).
  • requireScheme (bool): Specify true to require a scheme in the URL, if one not present, it will be added to non-relative URLs (default=true).
  • convertEncoded (boolean): Convert most encoded hex characters characters (i.e. “%2F”) to non-encoded? (default=true)
  • encodeSpace (boolean): Encoded space to “%20” or allow “%20“ in URL? Only useful if convertEncoded is true. (default=false)
  • stripTags (bool): Specify false to prevent tags from being stripped (default=true).
  • stripQuotes (bool): Specify false to prevent quotes from being stripped (default=true).
  • maxLength (int): Maximum length in bytes allowed for URLs (default=4096).
  • throw (bool): Throw exceptions on invalid URLs (default=false).

Return value

string

Returns a valid URL or blank string if it can’t be made valid.

Exceptions

Method can throw exceptions on error:

  • WireException - on invalid URLs, only if $options['throw'] is true.


$sanitizer methods and properties

API reference based on ProcessWire core version 3.0.160

Twitter updates

  • ProcessWire 3.0.161 adds support for selector operator stacking, enabling you automatically broaden searches in a single pages.find() call— More
    26 June 2020
  • ProcessWire 3.0.160 adds powerful new text-searching operators, bringing a new level of power to page-finding API calls, especially when it comes to search engine type queries. Post also includes a demo search engine where you can test it all out live— More
    19 June 2020
  • Preview of ProcessWire 3.0.160 with auto-enable of two-factor authentication, new version of TfaEmail and TfaTotp, and new selector operators coming next week. More
    12 June 2020

Latest news

  • ProcessWire Weekly #320
    In the 320th issue of ProcessWire Weekly we're going to check out the latest core updates (ProcessWire 3.0.161), a new third party module called Fieldtype Runtime only, an IndieWeb themed article from Francesco Schwarz, and more. Read on!
    Weekly.pw / 27 June 2020
  • Powerful new text-searching abilities in 3.0.160
    In ProcessWire 3.0.160 we’ve got some major upgrades and additions to our text-search abilities. This brings a whole new level of power to $pages->find() and similar API calls, especially when it comes to search engine type queries.
    Blog / 19 June 2020
  • Subscribe to weekly ProcessWire news

“To Drupal, or to ProcessWire? The million dollar choice. We decided to make an early switch to PW. And in retrospect, ProcessWire was probably the best decision we made. Thanks are due to ProcessWire and the amazing system and set of modules that are in place.” —Unni Krishnan, Founder of PigtailPundits