zod icon indicating copy to clipboard operation
zod copied to clipboard

Published 20 hours ago verified publisher icon colinhacks

bug: `z.string().url()` is incosistent across browser

Open ElasticBottle opened this issue 1 year ago • 6 comments

Just learned that z.string().url() actually fails on firefox for https://*.example.com while it passes for every other browser.

Not too sure if this inconsistency is intended or not.

Happy to make a PR to help resolve the inconsistency with the new URL being used under the hood for FF.

On version zod: 3.20.2

ElasticBottle avatar Mar 28 '23 00:03 ElasticBottle

I have confirmed this. However, this is an issue with the implementation of URL across browsers and not necessarily a problem with zod.

JacobWeisenburger avatar Mar 28 '23 17:03 JacobWeisenburger

Yeap, totally aligned.

saw the

try{
   new URL()
} catch(e) {}

block for validating URL

I think we should either

  1. Document this within the docs (Am leaning towards this)
  2. Do some wrapper around URLs coming from Firefox to make sure it passes
  3. Do custom regex
  4. Something else

I think the main thing is to make either the behavior consistent or at least have it documented.

Happy to do any of the above

ElasticBottle avatar Mar 28 '23 23:03 ElasticBottle

This is also an issue in React Native, where new URL does not throw correctly in its constructor:

A URL of "Test" being validated by React Native's URL constructor

This appears to have impacted at least one user: https://github.com/colinhacks/zod/issues/2236 as well as someone downstream as a user of my library (which uses Zod).

While this could likely be solved by poly-filling URL in React Native with a non-standard (for RN) URL polyfill, this method is:

  • More challenging to debug for those less familiar with the inner working of React Native/polyfills
  • Potentially breaking for users with React Native if the working of the current React Native usage is required

Ideally, I actually think that a regex should potentially replace the URL functionality in order to keep consistency and avoid headaches for end-users.

Also happy to work on this if needed.

crutchcorn avatar Apr 03 '23 06:04 crutchcorn

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 02 '23 14:07 stale[bot]

Weird because I saw someone using url() normally... I don't know if you used something else, I don't remember.

edu-amr avatar Jul 29 '23 00:07 edu-amr

I was looking to open another issue but I guess this can be used as well. The following value foo-bar: true will be considered as a valid URL for the z.string().url() schema. I had to use a custom validator using refine to define a regex for HTTP URLs

z.string().refine((value) => /https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)/.test(value), 'Field should be a valid URL')

toninofox avatar Feb 12 '24 17:02 toninofox