Skip to content

Rejecting URLs with white space is a breaking change. #60173

New issue
New issue
Closed
Closed
Rejecting URLs with white space is a breaking change.#60173
Labels
BugHtmlSanitizerStatus: Needs Review
@javarr

Description

@javarr
javarr
opened on Apr 8, 2025

Symfony version(s) affected

6.4 and newer

Description

Hello,

I find this code is too invasive:

https://github.com/symfony/html-sanitizer/blob/1bd0c8fd5938d9af3f081a7c43d360ddefd494ca/TextSanitizer/UrlSanitizer.php#L99

html-sanitizer/TextSanitizer
/UrlSanitizer.php

  if (preg_match('/\s/', $url)) {
                return null;
            }

What is the purpose of this, to avoid spaces before and after the string? like
" http://www.some.com/assets/test1.jpg" or " http://www.some.com/assets/test1.jpg "

This code will also remove something like "http://www.some.com/assets/test 1.jpg" if there are spaces in the asset name or pathname. I think whitespace should be allowed there.

Thanks

How to reproduce

for example URLs containig whitespace in the asset name

Possible Solution

Treat the URL as invalid if there are spaces at the beginning or end of the URL could be eine

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugHtmlSanitizerStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions