framework
framework copied to clipboard
laravel
URL validation fails when query parameters in validated URL contains space
Laravel Version
11.41.3
PHP Version
8.4.3
Database Driver & Version
No response
Description
For some reason it seems that calling /link?url=https://www.foo.com/?utm_campaign=some%20campaign in my application will fail to validate the url parameter there. Calling Str::isUrl('https://www.foo.com/?utm_campaign=some%20campaign')directly in tinker returnstruethough. However, dumping$request->input('url')in the controller reveals that the%20character there has done MIA. That also happens if I use+` as a space encoder.
Steps To Reproduce
routes/web.php:
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;
Route::get('/link', function(Request $request) {
$request->validate(['url' => 'required|url']);
});
tests/Feature/UrlValidatorTest.php:
<?php
use function Pest\Laravel\getJson;
test('passes 1', function() {
getJson('/link?url=https://www.foo.com/?utm_campaign=some%2520campaign')->assertSuccessful();
});
test('fails 1', function() {
getJson('/link?url=https://www.foo.com/?utm_campaign=some%20campaign')->assertSuccessful();
});
test('passes 2', function() {
getJson('/link?url=https%3A%2F%2Fwww.foo.com%2F%3Futm_campaign%3Dsome%2520campaign')->assertSuccessful();
});
test('fails 2', function() {
getJson('/link?url=https%3A%2F%2Fwww.foo.com%2F%3Futm_campaign%3Dsome%20campaign')->assertSuccessful();
});
Test 2 and 4 will then fail here.
Is this supposed to fail like this? My understanding is that https://www.foo.com/?utm_campaign=some%20campaign is a completely valid URL though (and directly calling Str::isUrl('https://www.foo.com/?utm_campaign=some%20campaign') confirms that). Or should spaces in query parameters always be double encoded when passing them to Laravel for validation?
One workaround/hack is to add these lines before the validation is done:
$request->merge([
'url' => Str::replace(' ', '+', $request->input('url')),
]);
Reproduction repo: https://github.com/carestad/laravel-url-validation-bug
You should url encode an url set as query param:
https%3A%2F%2Fwww.foo.com%2F%3Futm_campaign%3Dsome%20campaign
Thank you for reporting this issue!
As Laravel is an open source project, we rely on the community to help us diagnose and fix issues as it is not possible to research and fix every issue reported to us via GitHub.
If possible, please make a pull request fixing the issue you have described, along with corresponding tests. All pull requests are promptly reviewed by the Laravel team.
Thank you!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I have reviewed the issue regarding URL validation failing when query parameters contain spaces. This behavior stems from how PHP processes query parameters, where spaces encoded as %20 or + are converted back to spaces, leading to potential validation failures.
Proposed Solution:
To address this, consider encoding the URL before validation to ensure spaces are properly represented. Alternatively, adjust the validation logic to account for spaces in query parameters.
Implementation Details:
In your controller, you can encode the URL before validation:
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;
Route::get('/link', function(Request $request) {
$url = urlencode($request->input('url'));
$request->merge(['url' => $url]);
$request->validate([
'url' => 'required|url',
]);
// Proceed with the validated URL
});
This approach ensures that spaces and other special characters are properly encoded, allowing the url validation rule to function as expected.
Considerations:
User Experience: Ensure that encoding the URL doesn't affect user experience, especially if the URL is displayed back to the user.
Security: Always sanitize and validate URLs to prevent potential security vulnerabilities.
By implementing this solution, URL validation should handle spaces in query parameters correctly.
@carestad Hello, I think I know where is the problem here. When you pass the data in a url parameter, you encode id, but the right part of the url (after '?') is already encoded, so that part will be double encoded. See my example:
https://www.foo.com/?utm_campaign=some%20campaignis a valid url, the right part is encoded correcly, but when you put that direcly in the url parameters, this will be decoded ashttps://www.foo.com/?utm_campaign=some campaign, what is not a valid url. This explains why test 2 fails.https://www.foo.com/?utm_campaign=some%2520campaignthat is also a valid url in normal for, but when you put as a url parameter this will be decoded like:https://www.foo.com/?utm_campaign=some%20campaignwhat is a valid url. This explains why test 1 pass.
So on for the other 2 tests. The problem here is not in the laravel framework or php reading the parameter. The problem is you passing a url parameter without encode it, so when the server recives it it will try to decode (replacing '%20' to space) and when it reach the validation it will fail.
@crynobone ready for review: https://github.com/laravel/framework/pull/57440
This issue should be cloused as I mentioned the error is in the execution, not in the framework.
@crazynds @crynobone I spent some time and I realize the space is not a valid character for urls, no errors at all.