You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks @gRegorLove -- that allowRelative should have been false from the beginning, so it looks like that was an oversight on my part. I've pushed your suggested fix for this.
Short description of the issue
The
$sanitizer->httpUrl()
method lets through some invalid URLs unless you set theallowRelative
option to false.Expected behavior
I would expect this method to always return a string starting with http/https, or an empty string.
When
$sanitizer->httpUrl()
is called with an invalid URL and no options set, it should return an empty string.E.g.
$sanitizer->httpUrl('invalid url')
should return an empty string.Actual behavior
$sanitizer->httpUrl('invalid url')
returns stringinvalid url
Optional: Suggestion for a possible fix
$sanitizer->httpUrl('invalid url', ['allowRelative' => false])
returns the expected empty string.Could explicitly set the allowRelative option if it's not already set here:
Aside: I used PSR-12 coding style which requires braces around control structure bodies, and the body to be on the line after the opening brace.
Steps to reproduce the issue
Output:
Setup/Environment
The text was updated successfully, but these errors were encountered: