Sanitizer URL validation

[Ferdi Derksen]

Hi all,

I'm pretty new here (working with PW for only a few weeks now) but I can't find out how the $sanitize->url() function should working.

In my case the input is only "http://" and I'd expected the sanitizer to result an empty string, this isn't the case and results the exact input value. Is there a explanation for this, or are my expectations off-target?

Tnx in advance!

[LostKobrakai]

The sanitizer is internally relying on php's filter_var() function, which for me does return false for the string "http://". 

[Ferdi Derksen]

The sanitizer is internally relying on php's filter_var() function, which for me does return false for the string "http://". 

That's weird because when testing this on DEV 2.6.19 (also on Master 2.6.1) the following results appear;

var_dump(wire('sanitizer')->url("http://"));

string 'http://' (length=7)

var_dump(filter_var('http://', FILTER_VALIDATE_URL));

boolean false

[LostKobrakai]

If you disable the "allowQuerystring" option the issue should be gone. The setting tries to fake a domain for relative urls with query string and somehow "http://processwire.com/http://" is a valid url for php. But http:// is definetly not a valid relative url, so it would be nice if you could open an github issue about this. You can just link to this topic.

[Ferdi Derksen]

@LostKobrakai

Thanks for the feedback - but I'm only using the API in this case.

I opened a new GitHub issue - https://github.com/ryancramerdesign/ProcessWire/issues/1479

[LostKobrakai]

$sanitizer->url($value, array(

"allowQuerystring" => false

));

[Ferdi Derksen]

Worked like a charm! Didn't know this was possible, many thanks!

[edit] my initial problem is solved - the bug still stands and will be discussed further at GitHub - https://github.com/ryancramerdesign/ProcessWire/issues/1479

Edited October 28, 2015 by Ferdi

[gRegor]

Bumping this thread because I have a related question. I just discovered after a lot of testing that this:

$sanitizer->url('invalidurl');

Will return "invalidurl" instead of blank, as I'd expected.

Setting the allowRelative option to false prepends the string with "http://" and the resulting "http://invalidurl" passes validation. This does not seem like the behavior I expect. When I turn off allowRelative, I expect it to sanitize the string as-is, requiring a scheme, not adding one.

This is on PW 2.6.0, but looking at later versions of Sanitizer.php it appears it functions the same. For now I'll just call filter_var() directly to get the stronger validation I need.

[LostKobrakai]

Sanitization is the act of trying to return a value in the expeted format in as many situations as possible. Everything else is rather validation and would therefore be on your own to do. 

[gRegor]

I would generally agree, but url() is kind of a hybrid method. It's using PHP's validation filters, not just sanitizing filters.

[LostKobrakai]

Which version are we talking about? I'd imagine the validation part is only to ensure, that things added by processwire do result a correct url.

[gRegor]

My main point is that when I give a string to the sanitizer with allowRelative=false, I expect it to return a blank value for "invalidurl", because it's not a valid, non-relative URL. Most versions of PW, including latest, use the validation filters.

It's probably not easy to modify the behavior I'm expecting, so I'll just use filter_var().

[LostKobrakai]

"allowRelative" does state to me that relative urls are additionally allowed to the default behavior. So if it's not relative it's trying to cast the string to an absolute url. Your needed behavior would rather need to be named "onlyRelative" or alike. Maybe even a different sanitizer.

[gRegor]

I would recommend against that type of option naming. I think it would add to the confusion. We have allowRelative and requireScheme currently, neither of which do what I'm thinking. Adding onlyRelative to the mix is confusing. I'm OK with no changes to the core for now.