PHP 8.5 Adds Two Standards-Compliant URI Parsers to Replace Flawed parse_url()

PHP 8.5 introduces a built-in URI extension with two new classes, Uri\Rfc3986\Uri and Uri\WhatWg\Url, designed to replace the long-standing parse_url() function. The existing parse_url(), present since PHP 4, conforms to neither RFC 3986 nor the WHATWG URL standard, often returning inconsistent or misleading results for malformed inputs. This inconsistency between how a validator parses a URL and how an HTTP client resolves it is a known root cause of Server-Side Request Forgery (SSRF) vulnerabilities, as highlighted in a notable Black Hat 2017 presentation. The new RFC 3986 class suits general-purpose URIs and offers explicit error handling via exceptions or null returns, while the WHATWG class mirrors browser and fetch() parsing behavior for web-bound URLs. Developers are advised to match their validator's parser to the parser used by the consuming client in order to eliminate ambiguity gaps.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in