Jump to content

Sanitizer URL validation


Ferdi Derksen
 Share

Recommended Posts

Hi all,

I'm pretty new here (working with PW for only a few weeks now) but I can't find out how the $sanitize->url() function should working.

In my case the input is only "http://" and I'd expected the sanitizer to result an empty string, this isn't the case and results the exact input value. Is there a explanation for this, or are my expectations off-target?

Tnx in advance!

Link to comment
Share on other sites

The sanitizer is internally relying on php's filter_var() function, which for me does return false for the string "http://". 

That's weird because when testing this on DEV 2.6.19 (also on Master 2.6.1) the following results appear;

var_dump(wire('sanitizer')->url("http://"));

string 'http://' (length=7)

var_dump(filter_var('http://', FILTER_VALIDATE_URL));

boolean false

Link to comment
Share on other sites

If you disable the "allowQuerystring" option the issue should be gone. The setting tries to fake a domain for relative urls with query string and somehow "http://processwire.com/http://" is a valid url for php. But http:// is definetly not a valid relative url, so it would be nice if you could open an github issue about this. You can just link to this topic.

Link to comment
Share on other sites

  • 10 months later...

Bumping this thread because I have a related question. I just discovered after a lot of testing that this:

$sanitizer->url('invalidurl');

Will return "invalidurl" instead of blank, as I'd expected.

Setting the allowRelative option to false prepends the string with "http://" and the resulting "http://invalidurl" passes validation. This does not seem like the behavior I expect. When I turn off allowRelative, I expect it to sanitize the string as-is, requiring a scheme, not adding one.

This is on PW 2.6.0, but looking at later versions of Sanitizer.php it appears it functions the same. For now I'll just call filter_var() directly to get the stronger validation I need.

Link to comment
Share on other sites

My main point is that when I give a string to the sanitizer with allowRelative=false, I expect it to return a blank value for "invalidurl", because it's not a valid, non-relative URL. Most versions of PW, including latest, use the validation filters.

It's probably not easy to modify the behavior I'm expecting, so I'll just use filter_var().

Link to comment
Share on other sites

"allowRelative" does state to me that relative urls are additionally allowed to the default behavior. So if it's not relative it's trying to cast the string to an absolute url. Your needed behavior would rather need to be named "onlyRelative" or alike. Maybe even a different sanitizer.

Link to comment
Share on other sites

I would recommend against that type of option naming. I think it would add to the confusion. We have allowRelative and requireScheme currently, neither of which do what I'm thinking. Adding onlyRelative to the mix is confusing. I'm OK with no changes to the core for now.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...