Problem/Motivation
The link widget seems to rely purely on native browser side validation for checking the validity of external URLs. When an invalid URL such as "http:" (on Firefox) or "irc:" (on Chromium and Firefox) is used then these malformed URLs are accepted.
Steps to replicate:
- Add a link field on the "Article" node type with the option "Allowed link type" set to "External links only".
- Create an article, enter "http:" or "irc:" for the URL, and submit the form.
- Result: the invalid URL is accepted.
This was originally reported by idimopoulos.
Proposed resolution
There are two proposals
1) Add validation for punycode and magnet links in /core/modules/link/src/Plugin/Validation/Constraint/LinkExternalProtocolsConstraintValidator
or
2) Use the Symfony Url Validator, #34. This was proposed 6 years ago in #295021: filter_var() with FILTER_VALIDATE_URL accepts malformed URLs and rejects not all valid URLs and 4 years ago in #2691099: Improve external URL validation in many ways
Remaining tasks
Choose a proposed resolution and if the 1) then decide if these changes should be in UrlHelper See #21