Ticket #40353: #40353.3.patch

wp-includes/formatting.php

@@ -2947 +2947 @@
         return apply_filters( 'is_email', $email, $email, null );
 }
 
+/**
+ * Verifies that an url is valid as wordpress site url
+ * The regex check just if th protocol are http o https.
+ * In case other protocol are need to be considered valid, one has to edit the regex through the filter
+ *
+ * @param string $url      Url address to verify.
+ * @return bool            False if it is not a valid wordpress site url
+ */
+function is_valid_wordpress_url($url){
+
+    $valid_url_pattern = '~^
+            (http(s)?)://                           # protocol
+            (([\pL\pN-]+:)?([\pL\pN-]+)@)?          # basic auth
+            (
+                ([\pL\pN\pS-\.])+(\.?([\pL\pN]|xn\-\-[\pL\pN-]+)+\.?) # a domain name
+                    |                                                 # or
+                \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}                    # an IP address
+                    |                                                 # or
+                \[
+                    (?:(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){6})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:::(?:(?:(?:[0-9a-f]{1,4})):){5})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){4})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,1}(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){3})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,2}(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){2})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,3}(?:(?:[0-9a-f]{1,4})))?::(?:(?:[0-9a-f]{1,4})):)(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,4}(?:(?:[0-9a-f]{1,4})))?::)(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,5}(?:(?:[0-9a-f]{1,4})))?::)(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,6}(?:(?:[0-9a-f]{1,4})))?::))))
+                \]  # an IPv6 address
+            )
+            (:[0-9]+)?                              # a port (optional)
+            (?:/ (?:[\pL\pN\-._\~!$&\'()*+,;=:@]|%%[0-9A-Fa-f]{2})* )*      # a path
+        $~ixu';
+
+    /**
+     * basic check before running the regex
+     */
+    if( empty( trim($url) ) ){
+        return false;
+    }
+
+    /**
+     * Filters to edit the regex pattern for a valid url
+     *
+     * @param string $valid_url_pattern    The regex pattern to valid url against
+     */
+    $valid_url_pattern = apply_filters( 'valid_url_pattern', $valid_url_pattern );
+
+    if (!preg_match($valid_url_pattern, $url)) {
+
+        //is not a valid url
+        return false;
+    }else{
+
+        //is valid url
+        return true;
+    }
+}
+
 /**
  * Convert to ASCII from email subjects.
  *
@@ -4155 +4206 @@
                         break;
 
                 case 'siteurl':
-                        $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value );
-                        if ( is_wp_error( $value ) ) {
-                                $error = $value->get_error_message();
-                        } else {
-                                if ( preg_match( '#http(s?)://(.+)#i', $value ) ) {
-                                        $value = esc_url_raw( $value );
-                                } else {
-                                        $error = __( 'The WordPress address you entered did not appear to be a valid URL. Please enter a valid URL.' );
-                                }
-                        }
-                        break;
-
-                case 'home':
+        case 'home':
                         $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value );
                         if ( is_wp_error( $value ) ) {
                                 $error = $value->get_error_message();
                         } else {
-                                if ( preg_match( '#http(s?)://(.+)#i', $value ) ) {
-                                        $value = esc_url_raw( $value );
-                                } else {
-                                        $error = __( 'The Site address you entered did not appear to be a valid URL. Please enter a valid URL.' );
+                $value = esc_url_raw( $value );
+                                if ( ! is_valid_wordpress_url( $value ) ) {
+                                    if( $option == 'siteurl' ) {
+                        $error = __('The WordPress address you entered did not appear to be a valid URL. Please enter a valid URL.');
+                    } else {
+                        $error = __( 'The Site address you entered did not appear to be a valid URL. Please enter a valid URL.' );
+                    }
                                 }
                         }
                         break;