Greetings,

We came across with a few external JS files that don't end with either .js or .txt
They may even have different arguments which are always the same for one website so the URL is fixed and JS content is the same.

We can't use your module for them so we have to download and cache them manually.

Could you please consider to remove this restriction?

Thanks.

Comments

pwolanin’s picture

Status: Active » Postponed (maintainer needs more info)

It's a query-string issue or an issue of the extension?

ardas’s picture

I think the problem is in this function where you validate external path:

function javascript_libraries_valid_external_url($url) {
  // The URL must begin with http:// or https:// and must end in ".js" or
  // ".txt".
  $parts = parse_url($url);
  return $parts && ($parts['scheme'] == 'http' || $parts['scheme'] == 'https') && $parts['host'] && preg_match('@/.+\.(js|txt)$@i', $parts['path']);
}

Looks like you don't permit to use external JS files without either JS or TXT expression. Sometimes, 3d party services provides their JS libraries by different URLs, there may be no extension at all or several GET parameters. In these cases we can't use this module because of this limitation.

Since this limitation will not help with security I propose to remove this preg_match() and make the validation not that strict.

Your thoughts?

rkallensee’s picture

I have the same issue. To provide an example: I tried to include the Google Maps API with the following URL:

https://maps.googleapis.com/maps/api/js?key=API_KEY&sensor=false

This is not possible with the current check for an extension (js|txt). I would second the proposal to remove the check for the extension in the external URL, since it doesn't help much and prevents embedding JS sources like the Google Maps API completely.

ryandekker’s picture

Issue summary: View changes
Status: Postponed (maintainer needs more info) » Needs review
StatusFileSize
new963 bytes

Here's a patch that uses Drupal's valid_url() function instead. This will still help the admin catch a URL that isn't a valid external URL, without being overly strict so as to prevent URLs which are valid. Query and fragments are pretty common pieces of URLs, as highlighted above.

Status: Needs review » Needs work

The last submitted patch, 4: javascript_libraries-better_valid_url_check-1588312-4.patch, failed testing.