1. class
  2. Drupal
  3. \
  4. Component
  5. \
  6. Utility
  7. \
  8. UrlHelper

UrlHelper

class UrlHelper (View source)

Helper class URL based methods.

Properties

static protected array $allowedProtocols

The list of allowed protocols.

Methods

static string
buildQuery(array $query, string $parent = '')

Parses an array into a valid, rawurlencoded query string.

static An
filterQueryParameters(array $query, array $exclude = [], string $parent = '')

Filters a URL query parameter array to remove unwanted elements.

static array
parse(string $url)

Parses a URL string into its path, query, and fragment components.

static string
encodePath(string $path)

Encodes a Drupal path for use in a URL.

static bool
isExternal(string $path)

Determines whether a path is external to Drupal.

static bool
externalIsLocal(string $url, string $base_url)

Determines if an external URL points to this installation.

static string
filterBadProtocol(string $string)

Processes an HTML attribute value and strips dangerous protocols from URLs.

static array
getAllowedProtocols()

Gets the allowed protocols.

static 
setAllowedProtocols(array $protocols = [])

Sets the allowed protocols.

static string
stripDangerousProtocols(string $uri)

Strips dangerous protocols (for example, 'javascript:') from a URI.

static bool
isValid(string $url, bool $absolute = FALSE)

Verifies the syntax of the given URL.

Details

at line 42
static string buildQuery(array $query, string $parent = '')

Parses an array into a valid, rawurlencoded query string.

Function rawurlencode() is RFC3986 compliant, and as a consequence RFC3987 compliant. The latter defines the required format of "URLs" in HTML5. urlencode() is almost the same as rawurlencode(), except that it encodes spaces as "+" instead of "%20". This makes its result non compliant to RFC3986 and as a consequence non compliant to RFC3987 and as a consequence not valid as a "URL" in HTML5.

Parameters

array $query

The query parameter array to be processed; for instance, \Drupal::request()->query->all().
string $parent

(optional) Internal use only. Used to build the $query array key for nested items. Defaults to an empty string.

Return Value

string

A rawurlencoded string which can be used as or appended to the URL query string.

at line 79
static An filterQueryParameters(array $query, array $exclude = [], string $parent = '')

Filters a URL query parameter array to remove unwanted elements.

Parameters

array $query

An array to be processed.
array $exclude

(optional) A list of $query array keys to remove. Use "parent[child]" to exclude nested items.
string $parent

Internal use only. Used to build the $query array key for nested items.

Return Value

An

array containing query parameters.

at line 133
static array parse(string $url)

Parses a URL string into its path, query, and fragment components.

This function splits both internal paths like @code node?b=c#d @endcode and external URLs like @code https://example.com/a?b=c#d @endcode into their component parts. See

Parameters

string $url

The internal path or external URL string to parse.

Return Value

array

An associative array containing:

  • path: The path component of $url. If $url is an external URL, this includes the scheme, authority, and path.
  • query: An array of query parameters from $url, if they exist.
  • fragment: The fragment component from $url, if it exists.

See also

LinkGenerator
http://tools.ietf.org/html/rfc3986

at line 195
static string encodePath(string $path)

Encodes a Drupal path for use in a URL.

For aesthetic reasons slashes are not escaped.

Parameters

string $path

The Drupal path to encode.

Return Value

string

The encoded path.

at line 213
static bool isExternal(string $path)

Determines whether a path is external to Drupal.

An example of an external path is http://example.com. If a path cannot be assessed by Drupal's menu handler, then we must treat it as potentially insecure.

Parameters

string $path

The internal path or external URL being linked to, such as "node/34" or "http://example.com/foo".

Return Value

bool

TRUE or FALSE, where TRUE indicates an external path.

at line 247
static bool externalIsLocal(string $url, string $base_url)

Determines if an external URL points to this installation.

Parameters

string $url

A string containing an external URL, such as "http://example.com/foo".
string $base_url

The base URL string to check against, such as "http://example.com/"

Return Value

bool

TRUE if the URL has the same domain and base path.

Exceptions

InvalidArgumentException

at line 286
static string filterBadProtocol(string $string)

Processes an HTML attribute value and strips dangerous protocols from URLs.

Parameters

string $string

The string with the attribute value.

Return Value

string

Cleaned up and HTML-escaped version of $string.

at line 299
static array getAllowedProtocols()

Gets the allowed protocols.

Return Value

array

An array of protocols, for example http, https and irc.

at line 309
static setAllowedProtocols(array $protocols = [])

Sets the allowed protocols.

Parameters

array $protocols

An array of protocols, for example http, https and irc.

at line 352
static string stripDangerousProtocols(string $uri)

Strips dangerous protocols (for example, 'javascript:') from a URI.

This function must be called for all URIs within user-entered input prior to being output to an HTML attribute value. It is often called as part of \Drupal\Component\Utility\UrlHelper::filterBadProtocol() or \Drupal\Component\Utility\Xss::filter(), but those functions return an HTML-encoded string, so this function can be called independently when the output needs to be a plain-text string for passing to functions that will call Html::escape() separately. The exact behavior depends on the value:

  • If the value is a well-formed (per RFC 3986) relative URL or absolute URL that does not use a dangerous protocol (like "javascript:"), then the URL remains unchanged. This includes all URLs generated via Url::toString().
  • If the value is a well-formed absolute URL with a dangerous protocol, the protocol is stripped. This process is repeated on the remaining URL until it is stripped down to a safe protocol.
  • If the value is not a well-formed URL, the same sanitization behavior as for well-formed URLs will be invoked, which strips most substrings that precede a ":". The result can be used in URL attributes such as "href" or "src" (only after calling Html::escape() separately), but this may not produce valid HTML (for example, malformed URLs within "href" attributes fail HTML validation). This can be avoided by using Url::fromUri($possibly_not_a_url)->toString(), which either throws an exception or returns a well-formed URL.

Parameters

string $uri

A plain-text URI that might contain dangerous protocols.

Return Value

string

A plain-text URI stripped of dangerous protocols. As with all plain-text strings, this return value must not be output to an HTML page without being sanitized first. However, it can be passed to functions expecting plain-text strings.

See also

Html::escape
Url::toString
Url::fromUri

at line 394
static bool isValid(string $url, bool $absolute = FALSE)

Verifies the syntax of the given URL.

This function should only be used on actual URLs. It should not be used for Drupal menu paths, which can contain arbitrary characters. Valid values per RFC 3986.

Parameters

string $url

The URL to verify.
bool $absolute

Whether the URL is absolute (beginning with a scheme such as "http:").

Return Value

bool

TRUE if the URL is in a valid format, FALSE otherwise.