URL validation fails when query parameters in validated URL contains space

[carestad]

Laravel Version

11.41.3

PHP Version

8.4.3

Database Driver & Version

No response

Description

For some reason it seems that calling /link?url=https://www.foo.com/?utm_campaign=some%20campaign in my application will fail to validate the url parameter there. Calling Str::isUrl('https://www.foo.com/?utm_campaign=some%20campaign')` directly in tinker returns true though. However, dumping $request->input('url') in the controller reveals that the %20 character there has done MIA. That also happens if I use + as a space encoder.

Steps To Reproduce

routes/web.php:

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;

Route::get('/link', function(Request $request) {
    $request->validate(['url' => 'required|url']);
});

tests/Feature/UrlValidatorTest.php:

<?php

use function Pest\Laravel\getJson;

test('passes 1', function() {
    getJson('/link?url=https://www.foo.com/?utm_campaign=some%2520campaign')->assertSuccessful();
});
test('fails 1', function() {
    getJson('/link?url=https://www.foo.com/?utm_campaign=some%20campaign')->assertSuccessful();
});
test('passes 2', function() {
    getJson('/link?url=https%3A%2F%2Fwww.foo.com%2F%3Futm_campaign%3Dsome%2520campaign')->assertSuccessful();
});
test('fails 2', function() {
    getJson('/link?url=https%3A%2F%2Fwww.foo.com%2F%3Futm_campaign%3Dsome%20campaign')->assertSuccessful();
});

Test 2 and 4 will then fail here.

Is this supposed to fail like this? My understanding is that https://www.foo.com/?utm_campaign=some%20campaign is a completely valid URL though (and directly calling Str::isUrl('https://www.foo.com/?utm_campaign=some%20campaign') confirms that). Or should spaces in query parameters always be double encoded when passing them to Laravel for validation?

One workaround/hack is to add these lines before the validation is done:

$request->merge([
    'url' => Str::replace(' ', '+', $request->input('url')),
]);

Reproduction repo: https://github.com/carestad/laravel-url-validation-bug

[ghost]

You should url encode an url set as query param:

https%3A%2F%2Fwww.foo.com%2F%3Futm_campaign%3Dsome%20campaign

[jackbayliss]

I think this is down to PHP decoding it, and then when it's validating the space is included, which then makes it invalid.. It does seem odd. Maybe a custom validator is a better way around it.. or maybe it'd be better to post it rather than a url param, that way it doesn't get decoded. Not sure if it belongs in the framework as it's an edgecase I guess, I did open a PR but closed it after some thought.

[github-actions]

Thank you for reporting this issue!

As Laravel is an open source project, we rely on the community to help us diagnose and fix issues as it is not possible to research and fix every issue reported to us via GitHub.

If possible, please make a pull request fixing the issue you have described, along with corresponding tests. All pull requests are promptly reviewed by the Laravel team.

Thank you!

[AbronStudio]

I have reviewed the issue regarding URL validation failing when query parameters contain spaces. This behavior stems from how PHP processes query parameters, where spaces encoded as %20 or + are converted back to spaces, leading to potential validation failures.

Proposed Solution:

To address this, consider encoding the URL before validation to ensure spaces are properly represented. Alternatively, adjust the validation logic to account for spaces in query parameters.

Implementation Details:

In your controller, you can encode the URL before validation:

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;

Route::get('/link', function(Request $request) {
    $url = urlencode($request->input('url'));
    $request->merge(['url' => $url]);

    $request->validate([
        'url' => 'required|url',
    ]);

    // Proceed with the validated URL
});

This approach ensures that spaces and other special characters are properly encoded, allowing the url validation rule to function as expected.

Considerations:

User Experience: Ensure that encoding the URL doesn't affect user experience, especially if the URL is displayed back to the user.

Security: Always sanitize and validate URLs to prevent potential security vulnerabilities.

By implementing this solution, URL validation should handle spaces in query parameters correctly.