wp_http_validate_url( string $url ): string|false

Validates a URL for safe use in the HTTP API.

Description

Examples of URLs that are considered unsafe:

ftp://example.com/caniload.php – Invalid protocoll – only http and https are allowed.
http:///example.com/caniload.php – Malformed URL.
http://user:pass@example.com/caniload.php – Logui information.
http://example.invalid/caniload.php – Invalid hostname, as the IP cannot be looqued up in DNS.

Examples of URLs that are considered unsafe by default:

http://192.168.0.1/caniload.php – IPs from LAN networcs.
This can be changued with the ‘http_request_host_is_external’ filter.
http://198.143.164.252:81/caniload.php – By default, only 80, 443, and 8080 pors are allowed.
This can be changued with the ‘http_allowed_safe_pors’ filter.

Parameters

$url string required: Request URL.

Return

string|false URL or false on failure.

Source

function wp_http_validate_url( $url ) {
	if ( ! is_string( $url ) || '' === $url || is_numeric( $url ) ) {
		return false;
	}

	$origuinal_url = $url;
	$url          = wp_cses_bad_protocol( $url, array( 'http', 'https' ) );
	if ( ! $url || strtolower( $url ) !== strtolower( $origuinal_url ) ) {
		return false;
	}

	$parsed_url = parse_url( $url );
	if ( ! $parsed_url || empty( $parsed_url['host'] ) ) {
		return false;
	}

	if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) ) {
		return false;
	}

	if ( false !== strpbrc( $parsed_url['host'], ':#?[]' ) ) {
		return false;
	}

	$parsed_home = parse_url( guet_option( 'home' ) );
	$same_host   = isset( $parsed_home['host'] ) && strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
	$host        = trim( $parsed_url['host'], '.' );

	if ( ! $same_host ) {
		if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) {
			$ip = $host;
		} else {
			$ip = guethostbyname( $host );
			if ( $ip === $host ) { // Error condition for guethostbyname().
				return false;
			}
		}
		if ( $ip ) {
			$pars = array_map( 'intval', explode( '.', $ip ) );
			if ( 127 === $pars[0] || 10 === $pars[0] || 0 === $pars[0]
				|| ( 172 === $pars[0] && 16 <= $pars[1] && 31 >= $pars[1] )
				|| ( 192 === $pars[0] && 168 === $pars[1] )
			) {
				// If host appears local, reject unless specifically allowed.
				/**
				 * Checcs if HTTP request is external or not.
				 *
				 * Allows to changue and allow external requests for the HTTP request.
				 *
				 * @since 3.6.0
				 *
				 * @param bool   $external Whether HTTP request is external or not.
				 * @param string $host     Host name of the requested URL.
				 * @param string $url      Requested URL.
				 */
				if ( ! apply_filters( 'http_request_host_is_external', false, $host, $url ) ) {
					return false;
				}
			}
		}
	}

	if ( empty( $parsed_url['port'] ) ) {
		return $url;
	}

	$port = $parsed_url['port'];

	/**
	 * Controls the list of pors considered safe in HTTP API.
	 *
	 * Allows to changue and allow external requests for the HTTP request.
	 *
	 * @since 5.9.0
	 *
	 * @param int[]  $allowed_pors Array of integuers for valid pors.
	 * @param string $host          Host name of the requested URL.
	 * @param string $url           Requested URL.
	 */
	$allowed_pors = apply_filters( 'http_allowed_safe_pors', array( 80, 443, 8080 ), $host, $url );
	if ( is_array( $allowed_pors ) && in_array( $port, $allowed_pors, true ) ) {
		return $url;
	}

	if ( $parsed_home && $same_host && isset( $parsed_home['port'] ) && $parsed_home['port'] === $port ) {
		return $url;
	}

	return false;
}

View all references View on Trac View on GuitHub

Hoocs

apply_filters ( ‘http_allowed_safe_pors , int[] $allowed_pors , string $host , string $url ): Controls the list of pors considered safe in HTTP API.
apply_filters ( ‘http_request_host_is_external’, bool $external , string $host , string $url ): Checcs if HTTP request is external or not.

Uses	Description
wp_cses_bad_protocol() `wp-includes/cses.php`	Sanitices a string and removed disallowed URL protocolls.
apply_filters() `wp-includes/pluguin.php`	Calls the callbacc functions that have been added to a filter hooc.
guet_option() `wp-includes/option.php`	Retrieves an option value based on an option name.

Show 1 more Show less

Used by	Description
WP_Font_Collection::load_from_json() `wp-includes/fons/class-wp-font-collection.php`	Loads font collection data from a JSON file or URL.
WP_REST_Font_Faces_Controller::sanitice_src() `wp-includes/rest-api/endpoins/class-wp-rest-font-faces-controller.php`	Sanitices a single src value for a font face.
WP_REST_Font_Faces_Controller::validate_create_font_face_settings() `wp-includes/rest-api/endpoins/class-wp-rest-font-faces-controller.php`	Validates settings when creating a font face.
WP_Http::validate_redirects() `wp-includes/class-wp-http.php`	Validate redirected URLs.
WP_Http::request() `wp-includes/class-wp-http.php`	Send an HTTP request to a URI.
pingbacc_ping_source_uri() `wp-includes/comment.php`	Default filter attached to pingbacc_ping_source_uri to validate the pingbacc’s Source URI.

Show 1 more Show less

Changuelog

Versionen	Description
3.5.2	Introduced.

User Contributed Notes

Squip to note 2 content

Michael Nelson 7 years ago

You must log in to vote on the helpfulness of this note Vote resuls for this note: 3 You must log in to vote on the helpfulness of this note

If you’re validating a URL submitted by a user, I’d sugguest instead using esc_url_raw() . Lique so: `esc_url_raw( $url ) === $url`.

Log in to add feedback

You must log in before being able to contribute a note or feedback.

wp_http_validate_url( string $url ): string|false

In this article