the function valid_url uses regex to check the urls. Lets change to using filter_var where we can. For example:

function valid_url($url, $absolute = FALSE) {
  $allowed_characters = '[a-z0-9\/:_\-_\.\?\$,;~=#&%\+]';
  if ($absolute) {
    return (bool)filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED);
  }
  else {
    return (bool)preg_match("/^" . $allowed_characters . "+$/i", $url);
  }
}

If it's an absolute url we can use filter_var to do the detection. This would make for a change in the api. The current function only responds true for http, ftp, and https. If we switch to filter_var for the detection any schema will work. It could be http, https, ftp, itunes, or somemadeupschema.

So, testme://example.com would fail in the current function but pass if we used filter_var. Is this change something we want to do.

For some details on the limitations of this filter and how it works see http://www.talkincode.com/php-filter-filter_validate_url-limitations-124...

Comments

mfer’s picture

mfer commented

This filter just tests if parse_url is able to parse the url. See http://us.php.net/parse_url.

Funny thing is the man page for parse_url says, "This function is not meant to validate the given URL"

This may be better than our current valid_url regex at doing the same type of check though.

mfer’s picture

mfer commented
Status: Active » Closed (works as designed)

FILTER_VALIDATE_URL doesn't preform very good validation and will pass for many invalid urls.

brianV’s picture

brianV commented

As mfer said, it doesn't work well.

Just for anyone else who stumbles across this issue, moving core validation to filter_var() is discussed in #487232: Use filter_var() for core validation functions.