Updated: Comment #N

Problem/Motivation

Currently the URL utility \Drupal\Component\Utility\Url just can validate (Url::isValid()) URL's with a defined scheme. However, an URL isn't required to explicitly define a scheme:
http://tools.ietf.org/html/rfc3986#section-4.2
http://url.spec.whatwg.org/#concept-scheme-relative-url

This functionality can become quite handy and we should support such URL structures.

Proposed resolution

Make sure the URL utility properly validates scheme relative URL's. To do so I suggest to adjust Url::isValid() to not explicitly check for schemes (https / ftp / feed) but instead check the pattern defined by RFC 3986 section 3.1 and allow scheme relative URLs at the same time.
Checking the scheme should be fully upon Url::stripDangerousProtocols() instead.

Remaining tasks

Reviews needed

User interface changes

None

API changes

None

CommentFileSizeAuthor
#51 2195983-43.patch10.5 KBquietone
#51 2195983-43-fail.patch4.88 KBquietone
#41 2195983-40.patch10.47 KBquietone
#41 diff-29-40.txt13.05 KBquietone
#29 support_scheme_relative-2195983-29.patch12.56 KBNitesh Sethia
#26 support_scheme_relative-2195983-26.patch10.74 KBNitesh Sethia
#24 support_scheme_relative-2195983-24.patch12.56 KBNitesh Sethia
#22 interdiff.txt1.21 KBbalintcsaba
#22 2195983-22.patch10.31 KBbalintcsaba
#20 d8-add-support-for-schema-relative-urls-2195983-20.patch10.3 KBmartin107
#17 interdiff.txt6.1 KBWim Leers
#17 d8-add-support-for-schema-relative-urls-2195983-17.patch11.08 KBWim Leers
#12 d8-add-support-for-schema-relative-urls-2195983-12.patch10.15 KBdas-peter
#7 d8-add-support-for-schema-relative-urls-2195983-7.patch10.16 KBdas-peter
#4 d8-add-support-for-schema-relative-urls-2195983-4.patch10.05 KBdas-peter
d8-add-support-for-schema-relative-urls.patch6.96 KBdas-peter
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

das-peter’s picture

das-peter CreditAttribution: das-peter commented
Related issues: +#2054011: Implement built-in support for internal URLs

Status: Needs review » Needs work

The last submitted patch, d8-add-support-for-schema-relative-urls.patch, failed testing.

The last submitted patch, d8-add-support-for-schema-relative-urls.patch, failed testing.

das-peter’s picture

das-peter CreditAttribution: das-peter commented
Status: Needs work » Needs review
FileSize
d8-add-support-for-schema-relative-urls-2195983-4.patch10.05 KB

Had to adjust url validation in some locations.

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Title: Support scheme / protocol relative URL's » Support scheme/protocol-relative URLs

This looks great to me.

That said, do we actually know why Url::isValid() does not use filter_var()?

-    if ($typed_data instanceof UriInterface && filter_var($value, FILTER_VALIDATE_URL) === FALSE) {
+    if ($typed_data instanceof UriInterface && Url::isValid($value, TRUE) === FALSE) {

If there's a particular reason for why we're not able to use it, then I think it would be a good idea to document that in its phpDoc, so we're able to double-check whether the custom preg_match() approach is obsolete with a new PHP version in the future.

das-peter’s picture

das-peter CreditAttribution: das-peter commented

That said, do we actually know why Url::isValid() does not use filter_var()?

During my test's I figured out that filter_var($value, FILTER_VALIDATE_URL) won't work with schema relative URLs. The function only validates if there's any kind of schema present - I thought about introducing something like (filter_var($value, FILTER_VALIDATE_URL) || filter_var("schema:" . $value, FILTER_VALIDATE_URL)) to make schema relative paths validating. However that seems pretty ugly.

das-peter’s picture

das-peter CreditAttribution: das-peter commented
FileSize
d8-add-support-for-schema-relative-urls-2195983-7.patch10.16 KB

Added comment to clarify why preg_match() instead filter_var() is used.

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Status: Needs review » Reviewed & tested by the community

Thanks!

hass’s picture

hass CreditAttribution: hass commented 
+++ b/core/tests/Drupal/Tests/Component/Utility/UrlTest.php
@@ -435,11 +435,16 @@ public static function providerTestStripDangerousProtocols() {
+    $url_schemes = array('http:', 'https:', 'ftp:', 'h+-.:', '');

Can you explain what 'h+-.:' is made for, please?

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented

That's an allowed/supported character test.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs reroll

d8-add-support-for-schema-relative-urls-2195983-7.patch no longer applies.

error: patch failed: core/includes/common.inc:612
error: core/includes/common.inc: patch does not apply
das-peter’s picture

das-peter CreditAttribution: das-peter commented
Status: Needs work » Needs review
Issue tags: -Needs reroll
FileSize
d8-add-support-for-schema-relative-urls-2195983-12.patch10.15 KB

Re-roll

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett commented

I think this is actually a dupe of the older #1783278: Scheme-relative URL rejected by validation.
Can you compare the two approaches?

If this one is preferred, we can just mark that back to D7.

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Status: Needs review » Reviewed & tested by the community

This patch here definitely looks preferable, because it also removes that apparently hard-coded list of schemes in the preg_match() of isValid(), which has absolutely no business in there. :)

Due to that change, however, this patch cannot be backported, so we might as well keep the other issue to consider a D7/D6 compatible feature addition (which will probably look completely different to this patch here).

Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid commented
Issue tags: +Protocol-relative
sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented

Btw, marginally related:

PHP 5.4.7+ properly parses schema/protocol-relative URLs: http://3v4l.org/aPX44

Bummer, we only require 5.4.2 right now.

Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers commented
Title: Support scheme/protocol-relative URLs » Support scheme-relative URLs
FileSize
d8-add-support-for-schema-relative-urls-2195983-17.patch11.08 KB
interdiff.txt6.1 KB

YAY! Thanks for working on this :)

Only found nitpicks:

No actual code changes.

Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers commented

Also, I'm wondering if this shouldn't be considered a bug report instead of a feature request?

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs reroll

d8-add-support-for-schema-relative-urls-2195983-17.patch no longer applies.

error: patch failed: core/includes/common.inc:618
error: core/includes/common.inc: patch does not apply
error: core/lib/Drupal/Component/Utility/Url.php: No such file or directory
error: core/tests/Drupal/Tests/Component/Utility/UrlTest.php: No such file or directory
martin107’s picture

martin107 CreditAttribution: martin107 commented
Status: Needs work » Needs review
FileSize
d8-add-support-for-schema-relative-urls-2195983-20.patch10.3 KB

Reroll.

Status: Needs review » Needs work

The last submitted patch, 20: d8-add-support-for-schema-relative-urls-2195983-20.patch, failed testing.

balintcsaba’s picture

balintcsaba CreditAttribution: balintcsaba commented
Status: Needs work » Needs review
Issue tags: -Needs reroll
FileSize
2195983-22.patch10.31 KB
interdiff.txt1.21 KB

rerolled

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
CreditAttribution: jhedstrom commented
Status: Needs review » Needs work
Issue tags: +Needs reroll
Nitesh Sethia’s picture

Nitesh Sethia CreditAttribution: Nitesh Sethia as a volunteer commented
Status: Needs work » Needs review
Issue tags: -Needs reroll
FileSize
support_scheme_relative-2195983-24.patch12.56 KB

Rerolled the patch successfully.

Status: Needs review » Needs work

The last submitted patch, 24: support_scheme_relative-2195983-24.patch, failed testing.

Nitesh Sethia’s picture

Nitesh Sethia CreditAttribution: Nitesh Sethia as a volunteer commented
Status: Needs work » Needs review
FileSize
support_scheme_relative-2195983-26.patch10.74 KB

Rerolled the patch.

Status: Needs review » Needs work

The last submitted patch, 26: support_scheme_relative-2195983-26.patch, failed testing.

Nitesh Sethia’s picture

Nitesh Sethia CreditAttribution: Nitesh Sethia as a volunteer commented
Nitesh Sethia’s picture

Nitesh Sethia CreditAttribution: Nitesh Sethia as a volunteer commented
Status: Needs work » Needs review
FileSize
support_scheme_relative-2195983-29.patch12.56 KB

Rerolled

Nitesh Sethia’s picture

Nitesh Sethia CreditAttribution: Nitesh Sethia as a volunteer commented

Status: Needs review » Needs work

The last submitted patch, 29: support_scheme_relative-2195983-29.patch, failed testing.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

quietone’s picture

quietone CreditAttribution: quietone as a volunteer commented
Issue tags: +Bug Smash Initiative

This looks like a duplicate of an older issue #1783278: Scheme-relative URL rejected by validation, and despite that being the older issue in #14 sun states that this is the preferred solution "because it also removes that apparently hard-coded list of schemes in the preg_match() of isValid(), which has absolutely no business in there. :)" Based on that the way forward is to close the other as a duplicate and merge the two patches.

Any objections?

quietone’s picture

quietone CreditAttribution: quietone as a volunteer commented
Status: Needs work » Needs review
FileSize
diff-29-40.txt13.05 KB
2195983-40.patch10.47 KB

I did some work to merge the two patches. The changes for \Drupal\Component\Utility\UrlHelper::isExternal from this patch were not added, just didn't get to it.

Here is the work so far. There is no expectation that tests will pass.

Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers as a volunteer commented

Nice, exciting to see this move forward again, @quietone! 🥳

quietone credited Hawk777.

quietone credited Jody Lynn.

quietone credited Mac_Weber.

quietone credited dawehner.

quietone credited kerby70.

quietone credited rbayliss.

quietone credited redndahead.

quietone credited sashi.kiran.

quietone’s picture

quietone CreditAttribution: quietone as a volunteer commented
Version: 8.9.x-dev » 9.2.x-dev
FileSize
2195983-43-fail.patch4.88 KB
2195983-43.patch10.5 KB

OK, I have looked at isExternal and I believe the current version in HEAD because the new tests for relative schemes pass without any changes.

Being hopeful, I am uploading a fail patch as well.

And I have moved credit from the other issue to this one. Let me know if I made a mistake on that.

The last submitted patch, 51: 2195983-43-fail.patch, failed testing. View results

Status: Needs review » Needs work

The last submitted patch, 51: 2195983-43.patch, failed testing. View results

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.