Opened 8 years ago
Last modified 4 years ago
#40353 assigned defect (bug)
Site URL and Home URL inputs are not properly validating
Reported by: | subrataemfluence | Owned by: | loru88 |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Options, Meta APIs | Keywords: | good-first-bug has-patch |
Focuses: | administration | Cc: |
Description
In wp-admin/options-general.php > General settings the URLs not properly validating. I tried the following with WordPress address (URL) input:
http://local.mysite. com
http://local.my?site.com
http://local.my*site.com
In all three cases WP saves the entry and then the page breaks! A proper handling is required.
Attachments (6)
Change History (24)
#4
@
7 years ago
@thamaraiselvam PHP can be compiled without support for filter
, so we cannot assume the filter_var()
functions are available.
#5
@
7 years ago
@rachelbaker you are right, but can't it be nice to use this feature when available ?
Maybe rely on parse_url can be a valid drawback ? If the url can be parsed, we can check if the scheme is http/https then accept it.
#6
@
7 years ago
@shulard as I know parse_url doesn't validate the url
The idea of a dedicated function is ok, but I upload a patch to validate the url against a simple regex.
It takes into consideration just http and https, a valid hostname or ip address, an optional port and an optional path.
a filter is applied to the regex in case someone needs different validation pattern.
I taked inspiration from Symfony UrlValidator but I simplified the regex:
https://github.com/symfony/validator/blob/master/Constraints/UrlValidator.php
Could be useful to add a unit test on this function.
#7
@
7 years ago
You are right, parse_url
doesn't validate the URL it analyze the different parts and extract them inside an array, it's why I validated array keys and values.
The regex used seems very complicated due to IPv6 support but it's more accurate regarding validation. I'll take a look to add some unit tests on your function :)
#10
follow-up:
↓ 13
@
7 years ago
@umangvaghela123 As mentioned earlier in the ticket, filter_var()
can't be used because it could be turned off in PHP 5.2.
40353.4.patch looks a bit messy because it removes existing unit tests and the regex in is_valid_wordpress_url()
is way too complex for this IMHO.
This ticket was mentioned in Slack in #core by umangvaghela. View the logs.
7 years ago
#12
@
7 years ago
- Owner set to loru88
- Status changed from new to assigned
Assigning ownership to mark the good-first-bug
as "claimed".
#13
in reply to:
↑ 10
@
7 years ago
Replying to swissspidy:
@umangvaghela123 As mentioned earlier in the ticket,
filter_var()
can't be used because it could be turned off in PHP 5.2.
40353.4.patch looks a bit messy because it removes existing unit tests and the regex in
is_valid_wordpress_url()
is way too complex for this IMHO.
It does not remove any existing unit test, I just take the email validation test as a template to start but I probably mess with git. I'll fix it as soon as I can.
The function "is_valid_wordpress_url" is complex because I think it could be useful for plugin and theme authors, just like any other data validation function in wordpress core.
#14
follow-up:
↓ 15
@
7 years ago
@loru88
Its is fine if we use esc_url() for validate site_url and home_url.
#15
in reply to:
↑ 14
@
7 years ago
as @rachelbaker said here, we cannot user filter
function
Replying to umangvaghela123:
@loru88
Its is fine if we use esc_url() for validate site_url and home_url.
#16
@
7 years ago
@loru88 ,@swissspidy,@DrewAPicture If we check with wp_http_validate_url() so we can solve issue.To use this function we are not face php varsion issue.
In general, URIs as defined by * RFC 3986 (see * Section 2: Characters) may contain any of the following characters:
@subrataemfluence From your question all tested cases are valid.
references
http://stackoverflow.com/questions/1547899/which-characters-make-a-url-invalid