filter_var to sanitise URL

spatie · Dec 18, 2024 · a328033 · a328033
1 parent 445f6c8
commit a328033
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/src/Browsershot.php b/src/Browsershot.php
@@ -257,8 +257,10 @@ public function waitForSelector(string $selector, array $options = []): static
 
     public function setUrl(string $url): static
     {
-        $url = trim($url);
-
+        if (filter_var($url, FILTER_VALIDATE_URL) === false ){
+            throw FileUrlNotAllowed::parseError();
+        }
+
         $unsupportedProtocols = [
             'file://',
             'file:/',

diff --git a/src/Exceptions/FileUrlNotAllowed.php b/src/Exceptions/FileUrlNotAllowed.php
@@ -10,4 +10,9 @@ public static function make(): static
     {
         return new static('An URL is not allow to start with file:// or file:/');
     }
+
+    public static function parseError(): static
+    {
+        return new static('URL parse error');
+    }
 }
diff --git a/tests/BrowsershotTest.php b/tests/BrowsershotTest.php
@@ -76,6 +76,11 @@
     Browsershot::url('file:/test');
 })->throws(FileUrlNotAllowed::class);
 
+it('will not allow a slightly malformed file url', function () {
+    Browsershot::url('fil
+    e:///test');
+})->throws(FileUrlNotAllowed::class);
+
 it('will not allow html to contain file:/', function () {
     Browsershot::html('<h1><img src="file:/" /></h1>');
 })->throws(HtmlIsNotAllowedToContainFile::class);