Merge pull request #5268 from kenjis/add-valid_url_strict

feat: add valid_url_strict rule

Author: kenjis

system/Validation/FormatRules.php

@@ -268,7 +268,10 @@ public function valid_ip(?string $ip = null, ?string $which = null): bool
     }
 
     /**
-     * Checks a URL to ensure it's formed correctly.
+     * Checks a string to ensure it is (loosely) a URL.
+     *
+     * Warning: this rule will pass basic strings like
+     * "banana"; use valid_url_strict for a stricter rule.
      *
      * @param string $str
      */
@@ -291,6 +294,27 @@ public function valid_url(?string $str = null): bool
         return filter_var($str, FILTER_VALIDATE_URL) !== false;
     }
 
+    /**
+     * Checks a URL to ensure it's formed correctly.
+     *
+     * @param string|null $validSchemes comma separated list of allowed schemes
+     */
+    public function valid_url_strict(?string $str = null, ?string $validSchemes = null): bool
+    {
+        if (empty($str)) {
+            return false;
+        }
+
+        $scheme       = strtolower(parse_url($str, PHP_URL_SCHEME));
+        $validSchemes = explode(
+            ',',
+            strtolower($validSchemes ?? 'http,https')
+        );
+
+        return in_array($scheme, $validSchemes, true)
+            && filter_var($str, FILTER_VALIDATE_URL) !== false;
+    }
+
     /**
      * Checks for a valid date and matches a given date format
      *

tests/system/Validation/FormatRulesTest.php

@@ -88,7 +88,7 @@ public function testRegexMatchFalse()
     /**
      * @dataProvider urlProvider
      */
-    public function testValidURL(?string $url, bool $expected)
+    public function testValidURL(?string $url, bool $isLoose, bool $isStrict)
     {
         $data = [
             'foo' => $url,
@@ -98,7 +98,36 @@ public function testValidURL(?string $url, bool $expected)
             'foo' => 'valid_url',
         ]);
 
-        $this->assertSame($expected, $this->validation->run($data));
+        $this->assertSame($isLoose, $this->validation->run($data));
+    }
+
+    /**
+     * @dataProvider urlProvider
+     */
+    public function testValidURLStrict(?string $url, bool $isLoose, bool $isStrict)
+    {
+        $data = [
+            'foo' => $url,
+        ];
+
+        $this->validation->setRules([
+            'foo' => 'valid_url_strict',
+        ]);
+
+        $this->assertSame($isStrict, $this->validation->run($data));
+    }
+
+    public function testValidURLStrictWithSchema()
+    {
+        $data = [
+            'foo' => 'http://www.codeigniter.com',
+        ];
+
+        $this->validation->setRules([
+            'foo' => 'valid_url_strict[https]',
+        ]);
+
+        $this->assertFalse($this->validation->run($data));
     }
 
     public function urlProvider()
@@ -107,60 +136,90 @@ public function urlProvider()
             [
                 'www.codeigniter.com',
                 true,
+                false,
             ],
             [
                 'http://codeigniter.com',
                 true,
+                true,
             ],
-            //https://bugs.php.net/bug.php?id=51192
+            // https://bugs.php.net/bug.php?id=51192
             [
                 'http://accept-dashes.tld',
                 true,
+                true,
             ],
             [
                 'http://reject_underscores',
                 false,
+                false,
             ],
-            // https://github.com/codeigniter4/CodeIgniter/issues/4415
+            // https://github.com/bcit-ci/CodeIgniter/issues/4415
             [
                 'http://[::1]/ipv6',
                 true,
+                true,
             ],
             [
                 'htt://www.codeigniter.com',
                 false,
+                false,
             ],
             [
                 '',
                 false,
+                false,
+            ],
+            // https://github.com/codeigniter4/CodeIgniter4/issues/3156
+            [
+                'codeigniter',
+                true,   // What?
+                false,
             ],
             [
                 'code igniter',
                 false,
+                false,
             ],
             [
                 null,
                 false,
+                false,
             ],
             [
                 'http://',
-                true,
-            ], // this is apparently valid!
+                true,   // Why?
+                false,
+            ],
             [
                 'http:///oops.com',
                 false,
+                false,
             ],
             [
                 '123.com',
                 true,
+                false,
             ],
             [
                 'abc.123',
                 true,
+                false,
             ],
             [
                 'http:8080//abc.com',
+                true,   // Insane?
+                false,
+            ],
+            [
+                'mailto:[email protected]',
                 true,
+                false,
+            ],
+            [
+                '//example.com',
+                false,
+                false,
             ],
         ];
     }

user_guide_src/source/libraries/validation.rst

@@ -860,7 +860,14 @@ valid_emails            No         Fails if any value provided in a comma
 valid_ip                No         Fails if the supplied IP is not valid.        valid_ip[ipv6]
                                    Accepts an optional parameter of ‘ipv4’ or
                                    ‘ipv6’ to specify an IP format.
-valid_url               No         Fails if field does not contain a valid URL.
+valid_url               No         Fails if field does not contain (loosely) a
+                                   URL. Includes simple strings that could be
+                                   hostnames, like "codeigniter".
+valid_url_strict        Yes        Fails if field does not contain a valid URL.  valid_url_strict[https]
+                                   You can optionally specify a list of valid
+                                   schemas. If not specified, ``http,https``
+                                   are valid. This rule uses
+                                   PHP's ``FILTER_VALIDATE_URL``.
 valid_date              No         Fails if field does not contain a valid date. valid_date[d/m/Y]
                                    Accepts an optional parameter to matches
                                    a date format.