feat: add valid_url_strict rule

[kenjis]

Description
Supersedes #4658
Fixes #3156

The current valid_url is too loose.

I referred to #4658 (comment)

Checklist:

• Securely signed commits
• Component(s) with PHPDoc blocks, only if necessary or adds value
• Unit testing, with >80% coverage
• User guide updated
• Conforms to style guide

[MGatner]

Thanks for implementing this! An old one. I made a code consolidation suggestion.

[michalsn]

Oh... apparently I was the one who suggested this type of solution, but I'm not sure I thought it through properly.

I have concerns about the mailto,tel,sms options. I don't think they will be really helpful to most people and will give users the misconception that we are validating email or phone number here. I know this can be helpful in some cases, but in my opinion only in conjunction with other validation rules.

I would only use https as the default validScheme. I don't even know if browsers accept anything with http without making a big deal out of it these days.

We should indicate that the validation process follows RFC2396.

Overall, I'm just a little worried that if we leave it the way it is, users will start complaining that it doesn't work the way it should "again"... Am I overthinking this?

[kenjis]

How about these?

• remove mailto,tel,sms from the default valid schemes
  • I can't imagine use cases for validating mailto, tel, and sms URLs.
• add using FILTER_VALIDATE_URL to the user guide

[michalsn]

Yes, I agree that we should get rid of mailto,tel,sms. I was searching why we added these and it seems like we took it because laravel helper had it. Maybe there is some use case, but I don't see a reason to have these as allowed protocols by default.

I was thinking about it a little more and maybe we should go a step further and assume that the majority of users would like to validate a "normal" URL address - with a valid TLD name in it? I believe that would be the most common use case (we have a separate rule for validating IP addresses).

We could validate TLD based on a list e.g: https://github.com/umpirsky/tld-list. It would be an additional step in url validation. Thoughts?

[kenjis]

I was thinking about it a little more and maybe we should go a step further and assume that the majority of users would like to validate a "normal" URL address - with a valid TLD name in it? I believe that would be the most common use case (we have a separate rule for validating IP addresses).

I also think the majority of users would like to validate web addresses.

But if users really need to check the URL, they need to check not only TLD, but also domain name.
Is there much value in checking only the TLDs? I'm not sure.

If we check the hostname in a URL, there are a lot of tasks to do.
See https://docs.laminas.dev/laminas-validator/validators/hostname/

And even if we use laminas-validator, we can't check if the URL really exists.

[MGatner]

I think sticking with validating the "format" is the way to go. I'm not opposed to something larger, like verifying domains and whatnot, but I don't think that belongs in the Format Rules but perhaps an extension of URI class or a separate Validation rule in its own library.

[MGatner]

I'm good with this current version.

[michalsn]

Okay.

[kenjis]

Thanks, guys!