Validates a URL for safe use in the HTTP API.
Description
Examples of URLs that are considered unsafe:
- ftp://example.com/caniload.php – Invalid protocol – only http and https are allowed.
- http:///example.com/caniload.php – Malformed URL.
- http://user:pass@example.com/caniload.php – Login information.
- http://example.invalid/caniload.php – Invalid hostname, as the IP cannot be looked up in DNS.
Examples of URLs that are considered unsafe by default:
- http://192.168.0.1/caniload.php – IPs from LAN networks.
This can be changed with the ‘http_request_host_is_external’ filter. - http://198.143.164.252:81/caniload.php – By default, only 80, 443, and 8080 ports are allowed.
This can be changed with the ‘http_allowed_safe_ports’ filter.
Parameters
$urlstringrequired- Request URL.
Source
function wp_http_validate_url( $url ) { if ( ! is_string( $url ) || '' === $url || is_numeric( $url ) ) { return false; } $original_url = $url; $url = wp_kses_bad_protocol( $url, array( 'http', 'https' ) ); if ( ! $url || strtolower( $url ) !== strtolower( $original_url ) ) { return false; } $parsed_url = parse_url( $url ); if ( ! $parsed_url || empty( $parsed_url['host'] ) ) { return false; } if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) ) { return false; } if ( false !== strpbrk( $parsed_url['host'], ':#?[]' ) ) { return false; } $parsed_home = parse_url( get_option( 'home' ) ); $same_host = isset( $parsed_home['host'] ) && strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ); $host = trim( $parsed_url['host'], '.' ); if ( ! $same_host ) { if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) { $ip = $host; } else { $ip = gethostbyname( $host ); if ( $ip === $host ) { // Error condition for gethostbyname(). return false; } } if ( $ip ) { $parts = array_map( 'intval', explode( '.', $ip ) ); if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0] || ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] ) || ( 192 === $parts[0] && 168 === $parts[1] ) ) { // If host appears local, reject unless specifically allowed. /** * Checks if HTTP request is external or not. * * Allows to change and allow external requests for the HTTP request. * * @since 3.6.0 * * @param bool $external Whether HTTP request is external or not. * @param string $host Host name of the requested URL. * @param string $url Requested URL. */ if ( ! apply_filters( 'http_request_host_is_external', false, $host, $url ) ) { return false; } } } } if ( empty( $parsed_url['port'] ) ) { return $url; } $port = $parsed_url['port']; /** * Controls the list of ports considered safe in HTTP API. * * Allows to change and allow external requests for the HTTP request. * * @since 5.9.0 * * @param int[] $allowed_ports Array of integers for valid ports. * @param string $host Host name of the requested URL. * @param string $url Requested URL. */ $allowed_ports = apply_filters( 'http_allowed_safe_ports', array( 80, 443, 8080 ), $host, $url ); if ( is_array( $allowed_ports ) && in_array( $port, $allowed_ports, true ) ) { return $url; } if ( $parsed_home && $same_host && isset( $parsed_home['port'] ) && $parsed_home['port'] === $port ) { return $url; } return false; } Hooks
- apply_filters( ‘http_allowed_safe_ports’,
int[] $allowed_ports ,string $host ,string $url ) Controls the list of ports considered safe in HTTP API.
- apply_filters( ‘http_request_host_is_external’,
bool $external ,string $host ,string $url ) Checks if HTTP request is external or not.
Changelog
| Version | Description |
|---|---|
| 3.5.2 | Introduced. |
If you’re validating a URL submitted by a user, I’d suggest instead using esc_url_raw(). Like so: `esc_url_raw( $url ) === $url`.