$sanitizer->url() currently sanitizes URLs by stripping dangerous schemes (e.g. javascript:) and illegal characters, but does not validate that the value is a structurally valid URL. Strings like 'totally invalid' or 'not a url' pass through unchanged.
This is intentional and correct for backwards compatibility, but it would be useful to have an opt-in validate option that rejects values that don't pass FILTER_VALIDATE_URL.
Proposed changes:
$sanitizer->url($value, ['validate' => true]) — returns blank string if the value fails URL validation (checked after sanitization).FieldtypeURL gets a corresponding validate field setting (checkbox, disabled by default) that passes the option through to the sanitizer.
Notes:
- Default behavior unchanged — fully backwards compatible.
FILTER_VALIDATE_URL is strict and rejects some legitimate values (IDNs, certain relative paths), so the option description should note this.allowIDN and allowRelative options on $sanitizer->url() may need to be taken into account when the validate option is used.
-Claude
$sanitizer->url()currently sanitizes URLs by stripping dangerous schemes (e.g.javascript:) and illegal characters, but does not validate that the value is a structurally valid URL. Strings like'totally invalid'or'not a url'pass through unchanged.This is intentional and correct for backwards compatibility, but it would be useful to have an opt-in
validateoption that rejects values that don't passFILTER_VALIDATE_URL.Proposed changes:
$sanitizer->url($value, ['validate' => true])— returns blank string if the value fails URL validation (checked after sanitization).FieldtypeURLgets a correspondingvalidatefield setting (checkbox, disabled by default) that passes the option through to the sanitizer.Notes:
FILTER_VALIDATE_URLis strict and rejects some legitimate values (IDNs, certain relative paths), so the option description should note this.allowIDNandallowRelativeoptions on$sanitizer->url()may need to be taken into account when thevalidateoption is used.-Claude