Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve santizer->httpUrl #1593

Closed
gRegorLove opened this issue Jul 2, 2022 · 2 comments
Closed

Improve santizer->httpUrl #1593

gRegorLove opened this issue Jul 2, 2022 · 2 comments
Labels
resolution: fixed-please close

Comments

@gRegorLove
Copy link

gRegorLove commented Jul 2, 2022
edited
Loading

Short description of the issue

The $sanitizer->httpUrl() method lets through some invalid URLs unless you set the allowRelative option to false.

Expected behavior

I would expect this method to always return a string starting with http/https, or an empty string.

When $sanitizer->httpUrl() is called with an invalid URL and no options set, it should return an empty string.

E.g. $sanitizer->httpUrl('invalid url') should return an empty string.

Actual behavior

$sanitizer->httpUrl('invalid url') returns string invalid url

Optional: Suggestion for a possible fix

$sanitizer->httpUrl('invalid url', ['allowRelative' => false]) returns the expected empty string.

Could explicitly set the allowRelative option if it's not already set here:

public function httpUrl($value, $options = array())
{
    $options['requireScheme'] = true; 
    if (empty($options['allowRelative'])) {
        $options['allowRelative'] = false;
    } 
    if (empty($options['allowSchemes'])) {
        $options['allowSchemes'] = array('http', 'https');
    }
    return $this->url($value, $options);
}

Aside: I used PSR-12 coding style which requires braces around control structure bodies, and the body to be on the line after the opening brace.

Steps to reproduce the issue

$url = 'invalid url';

echo 'input url:' . PHP_EOL;
var_dump($url);

echo PHP_EOL . '$sanitizer->url():' . PHP_EOL;
var_dump($sanitizer->url($url));

echo PHP_EOL . '$sanitizer->httpUrl():' . PHP_EOL;
var_dump($sanitizer->httpUrl($url));

echo PHP_EOL . '$sanitizer->httpUrl() with allowRelative = false:' . PHP_EOL;
var_dump($sanitizer->httpUrl($url, ['allowRelative' => false]));

Output:

input url:
string(11) "invalid url"

$sanitizer->url():
string(11) "invalid url"

$sanitizer->httpUrl():
string(11) "invalid url"

$sanitizer->httpUrl() with allowRelative = false:
string(0) ""

Setup/Environment

  • ProcessWire version: 3.0.165
  • (Optional) PHP version: 7.4.15
ryancramerdesign added a commit to processwire/processwire that referenced this issue Jul 8, 2022
@ryancramerdesign
Fix issue processwire/processwire-issues#1593
2e76df1
@ryancramerdesign
Copy link
Member

Thanks @gRegorLove -- that allowRelative should have been false from the beginning, so it looks like that was an oversight on my part. I've pushed your suggested fix for this.

@matjazpotocnik
Copy link
Collaborator

@gRegorLove based on your reaction, I'm assuming this is fixed, so I'm closing it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
resolution: fixed-please close
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ryancramerdesign @gRegorLove @matjazpotocnik