Internationalized Domain Name support in FILTER_VALIDATE_URL

10 years ago by dunglas@gmail.com — view source

unread

Hello,

I'm working on enhancing the FILTER_VALIDATE_URL filter (
https://github.com/php/php-src/pull/826).
The current implementation does not support validation of internationalized
domain names (i.e: http://www.académie-française.fr/
http://www.xn--acadmie-franaise-npb1a.fr/).

Support of IDN validation can be easily added using ICU's uidna_toASCII()
function.

Is it acceptable to add a dependency to ICU for ext/filter?
Another option is to add a HAVE_ICU constant in main/php_config.h and to
validate IDN only if ICU is present.

What strategy is preferred?

--
Kévin Dunglas

http://dunglas.fr

10 years ago by Andrea Faulds — view source

unread

I'm working on enhancing the FILTER_VALIDATE_URL filter (
https://github.com/php/php-src/pull/826).
The current implementation does not support validation of internationalized
domain names (i.e: http://www.académie-française.fr/
http://www.xn--acadmie-franaise-npb1a.fr/).

Support of IDN validation can be easily added using ICU's uidna_toASCII()
function.

Is it acceptable to add a dependency to ICU for ext/filter?
Another option is to add a HAVE_ICU constant in main/php_config.h and to
validate IDN only if ICU is present.

What strategy is preferred?

Perhaps add a new filter that covers normal URLs and IDN ones? I just imagine it might cause problems if suddenly IDNs are accepted, if there is a backend which can’t handle them.

--
Andrea Faulds
http://ajf.me/

10 years ago by Tjerk Meesters — view source

unread

I'm working on enhancing the FILTER_VALIDATE_URL filter (
https://github.com/php/php-src/pull/826).
The current implementation does not support validation of internationalized
domain names (i.e: http://www.académie-française.fr/
http://www.xn--acadmie-franaise-npb1a.fr/).

Support of IDN validation can be easily added using ICU's uidna_toASCII()
function.

Is it acceptable to add a dependency to ICU for ext/filter?
Another option is to add a HAVE_ICU constant in main/php_config.h and to
validate IDN only if ICU is present.

What strategy is preferred?

Perhaps add a new filter that covers normal URLs and IDN ones? I just imagine it might cause problems if suddenly IDNs are accepted, if there is a backend which can’t handle them.

We don’t need a new filter, you can simply add a filter flag for FILTER_VALIDATE_URL, e.g. FILTER_FLAG_ALLOW_IDN.

Of course, the ICU dependency should be optional :)

--
Andrea Faulds
http://ajf.me/

10 years ago by dunglas@gmail.com — view source

unread

Hi,

The flag is a good idea to handle old systems but the feature must be
enabled by default (at least for PHP 7) and disablable through the flag.
IDN RFCs are more than 10 years old. All major browsers and registrars
support IDN.

Le vendredi 19 septembre 2014, Tjerk Meesters tjerk.meesters@gmail.com a
écrit :

On 18 Sep 2014, at 21:26, Kévin Dunglas <dunglas@gmail.com
javascript:;> wrote:

I'm working on enhancing the FILTER_VALIDATE_URL filter (
https://github.com/php/php-src/pull/826).
The current implementation does not support validation of
internationalized
domain names (i.e: http://www.académie-française.fr/
http://www.xn--acadmie-franaise-npb1a.fr/
http://www.xn--acadmie-franaise-npb1a.fr/).

Support of IDN validation can be easily added using ICU's
uidna_toASCII()
function.

Is it acceptable to add a dependency to ICU for ext/filter?
Another option is to add a HAVE_ICU constant in main/php_config.h and to
validate IDN only if ICU is present.

What strategy is preferred?

Perhaps add a new filter that covers normal URLs and IDN ones? I just
imagine it might cause problems if suddenly IDNs are accepted, if there is
a backend which can’t handle them.

We don’t need a new filter, you can simply add a filter flag for
FILTER_VALIDATE_URL, e.g. FILTER_FLAG_ALLOW_IDN.

Of course, the ICU dependency should be optional :)

--
Andrea Faulds
http://ajf.me/

--

--
Kévin Dunglas
Consultant et développeur freelance

http://dunglas.fr
Tél. : 06 60 91 20 20

10 years ago by Tjerk Meesters — view source

unread

Hi,

The flag is a good idea to handle old systems but the feature must be
enabled by default (at least for PHP 7) and disablable through the flag.
IDN RFCs are more than 10 years old. All major browsers and registrars
support IDN.

My apologies, I meant the inverse.

If ICU is enabled we should make FILTER_VALIDATE_URL check IDN by default
and add a flag to allow malformed IDN. However, it should not enforce the
dependency on ICU itself; if it's there, it will be used, otherwise it will
allow malformed IDN by default (if present).

Personally I wouldn't mind having this for 5.6 as well if the upgrade path
is clean, but the cleanest path I could think of involves having two flags
that do the opposite action :)

Le vendredi 19 septembre 2014, Tjerk Meesters tjerk.meesters@gmail.com
a écrit :

I'm working on enhancing the FILTER_VALIDATE_URL filter (
https://github.com/php/php-src/pull/826).
The current implementation does not support validation of
internationalized
domain names (i.e: http://www.académie-française.fr/
http://www.xn--acadmie-franaise-npb1a.fr/
http://www.xn--acadmie-franaise-npb1a.fr/).

Support of IDN validation can be easily added using ICU's
uidna_toASCII()
function.

Is it acceptable to add a dependency to ICU for ext/filter?
Another option is to add a HAVE_ICU constant in main/php_config.h and
to
validate IDN only if ICU is present.

What strategy is preferred?

Perhaps add a new filter that covers normal URLs and IDN ones? I just
imagine it might cause problems if suddenly IDNs are accepted, if there is
a backend which can’t handle them.

We don’t need a new filter, you can simply add a filter flag for
FILTER_VALIDATE_URL, e.g. FILTER_FLAG_ALLOW_IDN.

Of course, the ICU dependency should be optional :)

--
Andrea Faulds
http://ajf.me/

--

--
Kévin Dunglas
Consultant et développeur freelance

http://dunglas.fr
Tél. : 06 60 91 20 20

--

Tjerk

10 years ago by Chris Wright — view source

unread

Kévin

Hello,

I'm working on enhancing the FILTER_VALIDATE_URL filter (
https://github.com/php/php-src/pull/826).
The current implementation does not support validation of internationalized
domain names (i.e: http://www.académie-française.fr/
http://www.xn--acadmie-franaise-npb1a.fr/).

Support of IDN validation can be easily added using ICU's uidna_toASCII()
function.

Is it acceptable to add a dependency to ICU for ext/filter?
Another option is to add a HAVE_ICU constant in main/php_config.h and to
validate IDN only if ICU is present.

What strategy is preferred?

I've done some work around this area previously, and all I will say
is: be careful with what you do with this from a userland PoV.

PHP does not natively support IDN in stream open routines or SSL
verification routines. It will never support these things without at
least one of:

a core dependency on ICU, libidn or similar
moving streams into an extension so a dependency can be introduced
there (probably not sanely possible)
an in-house NAMEPREP implementation (this is the hard part of IDN,
punycode itself is pretty trivial to implement once you have a
canonical set of codepoints)

These things can be implemented with a lot of boilerplate in
userland when you have ext/intl, but it's not pretty. libcurl can
support IDN if it was built against libidn, I'm not sure if this is
currently the case in common distributions or not. Since one almost
never just validates a URL string, it's usually a precursor to
attempting to open it, this could lead to some pretty hefty wtfs.

In short, while I'm generally for ext/filter being able to handle IDN,
I do not believe it should do it implicitly, it should require an
explicit flag, because it will break a lot of code if IDN is
suddenly treated as valid where it previously wasn't.

Thanks, Chris

10 years ago by Pierre Joye — view source

unread

Hi,

Kévin

Hello,

I'm working on enhancing the FILTER_VALIDATE_URL filter (
https://github.com/php/php-src/pull/826).
The current implementation does not support validation of
internationalized
domain names (i.e: http://www.académie-française.fr/
http://www.xn--acadmie-franaise-npb1a.fr/
http://www.xn--acadmie-franaise-npb1a.fr/).

Support of IDN validation can be easily added using ICU's
uidna_toASCII()
function.

Is it acceptable to add a dependency to ICU for ext/filter?
Another option is to add a HAVE_ICU constant in main/php_config.h and to
validate IDN only if ICU is present.

What strategy is preferred?

I've done some work around this area previously, and all I will say
is: be careful with what you do with this from a userland PoV.

PHP does not natively support IDN in stream open routines or SSL
verification routines. It will never support these things without at
least one of:

a core dependency on ICU, libidn or similar

moving streams into an extension so a dependency can be introduced
there (probably not sanely possible)

an in-house NAMEPREP implementation (this is the hard part of IDN,
punycode itself is pretty trivial to implement once you have a
canonical set of codepoints)

These things can be implemented with a lot of boilerplate in
userland when you have ext/intl, but it's not pretty. libcurl can
support IDN if it was built against libidn, I'm not sure if this is
currently the case in common distributions or not. Since one almost
never just validates a URL string, it's usually a precursor to
attempting to open it, this could lead to some pretty hefty wtfs.

In short, while I'm generally for ext/filter being able to handle IDN,
I do not believe it should do it implicitly, it should require an
explicit flag, because it will break a lot of code if IDN is
suddenly treated as valid where it previously wasn't.

I am really not sure about that especially the enabling by default part.

The doc is pretty clear about what this filter supports and allowing idn
may break a lot of codes out there.

From an implementation point of view we may not need ICU to support IDN.
Windows does not use it and there are license friendly decoder
implementations too.

Cheers,
Pierre

10 years ago by Chris Wright — view source

unread

Hi,

Kévin

Hello,

I'm working on enhancing the FILTER_VALIDATE_URL filter (
https://github.com/php/php-src/pull/826).
The current implementation does not support validation of
internationalized
domain names (i.e: http://www.académie-française.fr/
http://www.xn--acadmie-franaise-npb1a.fr/).

Support of IDN validation can be easily added using ICU's
uidna_toASCII()
function.

Is it acceptable to add a dependency to ICU for ext/filter?
Another option is to add a HAVE_ICU constant in main/php_config.h and to
validate IDN only if ICU is present.

What strategy is preferred?

I've done some work around this area previously, and all I will say
is: be careful with what you do with this from a userland PoV.

PHP does not natively support IDN in stream open routines or SSL
verification routines. It will never support these things without at
least one of:

a core dependency on ICU, libidn or similar

moving streams into an extension so a dependency can be introduced
there (probably not sanely possible)

an in-house NAMEPREP implementation (this is the hard part of IDN,
punycode itself is pretty trivial to implement once you have a
canonical set of codepoints)

These things can be implemented with a lot of boilerplate in
userland when you have ext/intl, but it's not pretty. libcurl can
support IDN if it was built against libidn, I'm not sure if this is
currently the case in common distributions or not. Since one almost
never just validates a URL string, it's usually a precursor to
attempting to open it, this could lead to some pretty hefty wtfs.

In short, while I'm generally for ext/filter being able to handle IDN,
I do not believe it should do it implicitly, it should require an
explicit flag, because it will break a lot of code if IDN is
suddenly treated as valid where it previously wasn't.

I am really not sure about that especially the enabling by default part.

The doc is pretty clear about what this filter supports and allowing idn may
break a lot of codes out there.

From an implementation point of view we may not need ICU to support IDN.
Windows does not use it and there are license friendly decoder
implementations too.

If we can agree on adding a core dependency on <some IDN support lib>,
I already have an experimental local branch that adds full IDN support
to streams. It's based on libidn but it would be easy enough to swap
it out for something else that provides the same functionality.

In my (biased) opinion, streams are a far more important element of
IDN support. Filter validation is just polish/a nicety on top.

10 years ago by dunglas@gmail.com — view source

unread

Support of IDN in streams is a must have.
But there is a lot of other use cases for URL with IDN validation. The most
common is probably form validation (test if an user submitted URL has a
valid format and can be used to create an HTML link...).

I'm ok making IDN validation optional and not used by default until PHP
natively support IDN in other features such as streams.
But IDN are used more and more in the wild, and from a user point of view
it is disappointing that a valid URL, working in browsers and even
displayed by Google Search is not considered as a valid URL by a PHP-based
website using filter_var() without a specific flag.

Even some TLD are using non-ASCII characters, exemple: http://旅游气象.中国
 http://xn--zfv73l7xbp87c.xn--fiqs8s (popular Chinese weather site).

About the library, I've not preference between libidn and icu. If the
licence is libidn fit better with the PHP one, libidn is probably the
better choice. Having a PHP specific implementation of STRINGPREP and
Punnycode sounds not like a good idea (reinventing the wheel, more code to
maintain).

Chris, is there a chance to have your work on streams merged in PHP 7?

What do you thing about the following planning:

5.7 (if exists): add IDN support in filter disabled by default. Use
libidn if selected to be used for streams too.
7 (if IDN support for streams is completed): validate IDN by default
(what the user expect), add a flag to disable IDN validation. Of course
we'll update the doc explaining the new behavior.

2014-09-19 12:28 GMT+02:00 Chris Wright cw@daverandom.com:

Hi,

Kévin

Hello,

I'm working on enhancing the FILTER_VALIDATE_URL filter (
https://github.com/php/php-src/pull/826).
The current implementation does not support validation of
internationalized
domain names (i.e: http://www.académie-française.fr/
http://www.xn--acadmie-franaise-npb1a.fr/
http://www.xn--acadmie-franaise-npb1a.fr/).

Support of IDN validation can be easily added using ICU's
uidna_toASCII()
function.

Is it acceptable to add a dependency to ICU for ext/filter?
Another option is to add a HAVE_ICU constant in main/php_config.h and
to
validate IDN only if ICU is present.

What strategy is preferred?

I've done some work around this area previously, and all I will say
is: be careful with what you do with this from a userland PoV.

PHP does not natively support IDN in stream open routines or SSL
verification routines. It will never support these things without at
least one of:

a core dependency on ICU, libidn or similar

moving streams into an extension so a dependency can be introduced
there (probably not sanely possible)

an in-house NAMEPREP implementation (this is the hard part of IDN,
punycode itself is pretty trivial to implement once you have a
canonical set of codepoints)

These things can be implemented with a lot of boilerplate in
userland when you have ext/intl, but it's not pretty. libcurl can
support IDN if it was built against libidn, I'm not sure if this is
currently the case in common distributions or not. Since one almost
never just validates a URL string, it's usually a precursor to
attempting to open it, this could lead to some pretty hefty wtfs.

In short, while I'm generally for ext/filter being able to handle IDN,
I do not believe it should do it implicitly, it should require an
explicit flag, because it will break a lot of code if IDN is
suddenly treated as valid where it previously wasn't.

I am really not sure about that especially the enabling by default part.

The doc is pretty clear about what this filter supports and allowing idn
may
break a lot of codes out there.

From an implementation point of view we may not need ICU to support IDN.
Windows does not use it and there are license friendly decoder
implementations too.

If we can agree on adding a core dependency on <some IDN support lib>,
I already have an experimental local branch that adds full IDN support
to streams. It's based on libidn but it would be easy enough to swap
it out for something else that provides the same functionality.

In my (biased) opinion, streams are a far more important element of
IDN support. Filter validation is just polish/a nicety on top.

--
Kévin Dunglas

http://dunglas.fr

10 years ago by Chris Wright — view source

unread

Support of IDN in streams is a must have.
But there is a lot of other use cases for URL with IDN validation. The most
common is probably form validation (test if an user submitted URL has a
valid format and can be used to create an HTML link...).

I'm ok making IDN validation optional and not used by default until PHP
natively support IDN in other features such as streams.
But IDN are used more and more in the wild, and from a user point of view it
is disappointing that a valid URL, working in browsers and even displayed by
Google Search is not considered as a valid URL by a PHP-based website using
filter_var() without a specific flag.

Even some TLD are using non-ASCII characters, exemple: http://旅游气象.中国
(popular Chinese weather site).

About the library, I've not preference between libidn and icu. If the
licence is libidn fit better with the PHP one, libidn is probably the better
choice. Having a PHP specific implementation of STRINGPREP and Punnycode
sounds not like a good idea (reinventing the wheel, more code to maintain).

Chris, is there a chance to have your work on streams merged in PHP 7?

It's very hacky and PoC at the moment. I've got a bunch of
time-consuming personal things going on right now, but within the next
couple of weeks I will try and polish it up into something
serviceable, maintainable and tested/less likely to explode with
edge-cases and then I'll put it up for discussion.

I'm also fine if someone else wants to have a crack in the meantime, I
can push my work so far to github early next week when I get access to
the machine.

I'd certainly like the functionality to be in 7 if it's viable from a
licensing and dependency PoV - I had been holding off bringing it up
to see what happened with the more general unicode support discussion
(which I somewhat lost track of and seems to have died out) as there
was talk of introducing a hard dependency on ICU-or-similar at one
point, which would have made this a no-brainer.

What do you thing about the following planning:

5.7 (if exists): add IDN support in filter disabled by default. Use libidn
if selected to be used for streams too.

7 (if IDN support for streams is completed): validate IDN by default (what
the user expect), add a flag to disable IDN validation. Of course we'll
update the doc explaining the new behavior.

2014-09-19 12:28 GMT+02:00 Chris Wright cw@daverandom.com:

Hi,

Kévin

Hello,

I'm working on enhancing the FILTER_VALIDATE_URL filter (
https://github.com/php/php-src/pull/826).
The current implementation does not support validation of
internationalized
domain names (i.e: http://www.académie-française.fr/
http://www.xn--acadmie-franaise-npb1a.fr/).

Support of IDN validation can be easily added using ICU's
uidna_toASCII()
function.

Is it acceptable to add a dependency to ICU for ext/filter?
Another option is to add a HAVE_ICU constant in main/php_config.h and
to
validate IDN only if ICU is present.

What strategy is preferred?

I've done some work around this area previously, and all I will say
is: be careful with what you do with this from a userland PoV.

PHP does not natively support IDN in stream open routines or SSL
verification routines. It will never support these things without at
least one of:

a core dependency on ICU, libidn or similar

moving streams into an extension so a dependency can be introduced
there (probably not sanely possible)

an in-house NAMEPREP implementation (this is the hard part of IDN,
punycode itself is pretty trivial to implement once you have a
canonical set of codepoints)

These things can be implemented with a lot of boilerplate in
userland when you have ext/intl, but it's not pretty. libcurl can
support IDN if it was built against libidn, I'm not sure if this is
currently the case in common distributions or not. Since one almost
never just validates a URL string, it's usually a precursor to
attempting to open it, this could lead to some pretty hefty wtfs.

In short, while I'm generally for ext/filter being able to handle IDN,
I do not believe it should do it implicitly, it should require an
explicit flag, because it will break a lot of code if IDN is
suddenly treated as valid where it previously wasn't.

I am really not sure about that especially the enabling by default part.

The doc is pretty clear about what this filter supports and allowing idn
may
break a lot of codes out there.

From an implementation point of view we may not need ICU to support IDN.
Windows does not use it and there are license friendly decoder
implementations too.

If we can agree on adding a core dependency on <some IDN support lib>,
I already have an experimental local branch that adds full IDN support
to streams. It's based on libidn but it would be easy enough to swap
it out for something else that provides the same functionality.

In my (biased) opinion, streams are a far more important element of
IDN support. Filter validation is just polish/a nicety on top.

--
Kévin Dunglas

http://dunglas.fr

10 years ago by dunglas@gmail.com — view source

unread

I'll implement optional (and not default) support of IDN in filter_var().

Does anyone known if it's better to use libIDN (LGPL) or ICU (custom
license deviated from the X license) from a license point of view?

2014-09-19 16:18 GMT+02:00 Chris Wright cw@daverandom.com:

Support of IDN in streams is a must have.
But there is a lot of other use cases for URL with IDN validation. The
most
common is probably form validation (test if an user submitted URL has a
valid format and can be used to create an HTML link...).

I'm ok making IDN validation optional and not used by default until PHP
natively support IDN in other features such as streams.
But IDN are used more and more in the wild, and from a user point of
view it
is disappointing that a valid URL, working in browsers and even
displayed by
Google Search is not considered as a valid URL by a PHP-based website
using
filter_var() without a specific flag.

Even some TLD are using non-ASCII characters, exemple: http://旅游气象.中国
 http://xn--zfv73l7xbp87c.xn--fiqs8s
(popular Chinese weather site).

About the library, I've not preference between libidn and icu. If the
licence is libidn fit better with the PHP one, libidn is probably the
better
choice. Having a PHP specific implementation of STRINGPREP and Punnycode
sounds not like a good idea (reinventing the wheel, more code to
maintain).

Chris, is there a chance to have your work on streams merged in PHP 7?

It's very hacky and PoC at the moment. I've got a bunch of
time-consuming personal things going on right now, but within the next
couple of weeks I will try and polish it up into something
serviceable, maintainable and tested/less likely to explode with
edge-cases and then I'll put it up for discussion.

I'm also fine if someone else wants to have a crack in the meantime, I
can push my work so far to github early next week when I get access to
the machine.

I'd certainly like the functionality to be in 7 if it's viable from a
licensing and dependency PoV - I had been holding off bringing it up
to see what happened with the more general unicode support discussion
(which I somewhat lost track of and seems to have died out) as there
was talk of introducing a hard dependency on ICU-or-similar at one
point, which would have made this a no-brainer.

What do you thing about the following planning:

5.7 (if exists): add IDN support in filter disabled by default. Use
libidn
if selected to be used for streams too.

7 (if IDN support for streams is completed): validate IDN by default
(what
the user expect), add a flag to disable IDN validation. Of course we'll
update the doc explaining the new behavior.

2014-09-19 12:28 GMT+02:00 Chris Wright cw@daverandom.com:

Hi,

Kévin

Hello,

I'm working on enhancing the FILTER_VALIDATE_URL filter (
https://github.com/php/php-src/pull/826).
The current implementation does not support validation of
internationalized
domain names (i.e: http://www.académie-française.fr/
http://www.xn--acadmie-franaise-npb1a.fr/
http://www.xn--acadmie-franaise-npb1a.fr/).

Support of IDN validation can be easily added using ICU's
uidna_toASCII()
function.

Is it acceptable to add a dependency to ICU for ext/filter?
Another option is to add a HAVE_ICU constant in main/php_config.h
and
to
validate IDN only if ICU is present.

What strategy is preferred?

I've done some work around this area previously, and all I will say
is: be careful with what you do with this from a userland PoV.

PHP does not natively support IDN in stream open routines or SSL
verification routines. It will never support these things without at
least one of:

a core dependency on ICU, libidn or similar

moving streams into an extension so a dependency can be introduced
there (probably not sanely possible)

an in-house NAMEPREP implementation (this is the hard part of IDN,
punycode itself is pretty trivial to implement once you have a
canonical set of codepoints)

These things can be implemented with a lot of boilerplate in
userland when you have ext/intl, but it's not pretty. libcurl can
support IDN if it was built against libidn, I'm not sure if this is
currently the case in common distributions or not. Since one almost
never just validates a URL string, it's usually a precursor to
attempting to open it, this could lead to some pretty hefty wtfs.

In short, while I'm generally for ext/filter being able to handle
IDN,
I do not believe it should do it implicitly, it should require an
explicit flag, because it will break a lot of code if IDN is
suddenly treated as valid where it previously wasn't.

I am really not sure about that especially the enabling by default
part.

The doc is pretty clear about what this filter supports and allowing
idn
may
break a lot of codes out there.

From an implementation point of view we may not need ICU to support
IDN.
Windows does not use it and there are license friendly decoder
implementations too.

If we can agree on adding a core dependency on <some IDN support lib>,
I already have an experimental local branch that adds full IDN support
to streams. It's based on libidn but it would be easy enough to swap
it out for something else that provides the same functionality.

In my (biased) opinion, streams are a far more important element of
IDN support. Filter validation is just polish/a nicety on top.

--
Kévin Dunglas

http://dunglas.fr

--
Kévin Dunglas
Consultant et développeur freelance

http://dunglas.fr
Tél. : 06 60 91 20 20

10 years ago by Andrea Faulds — view source

unread

I'll implement optional (and not default) support of IDN in filter_var().

Does anyone known if it's better to use libIDN (LGPL) or ICU (custom
license deviated from the X license) from a license point of view?

We already use ICU in many places, so it's more likely to be available and people can get IDN support "for free". I suppose, then, the license isn't an issue.

--
Andrea Faulds
http://ajf.me/

10 years ago by Lester Caine — view source

unread

Does anyone known if it's better to use libIDN (LGPL) or ICU (custom

license deviated from the X license) from a license point of view?
We already use ICU in many places, so it's more likely to be available and people can get IDN support "for free". I suppose, then, the license isn't an issue.
Has any alternative to ICU been found yet as a base for unicode support
in PHP7 in general?

--
Lester Caine - G8HFL

Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

10 years ago by Stas Malyshev — view source

unread

Hi!

I'll implement optional (and not default) support of IDN in filter_var().

Does anyone known if it's better to use libIDN (LGPL) or ICU (custom
license deviated from the X license) from a license point of view?

ICU is definitely better since we already have a lot of code using ICU
and AFAIK our current IDN functions (idn_to_*) use ICU. Which means it
would be advantageous to keep it in the single library - whatever bugs
there may be, at least the user will be dealing with one set of bugs
instead of two :)

--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/

10 years ago by Pierre Joye — view source

unread

Hi!

I'll implement optional (and not default) support of IDN in filter_var().

Does anyone known if it's better to use libIDN (LGPL) or ICU (custom
license deviated from the X license) from a license point of view?

ICU is definitely better since we already have a lot of code using ICU
and AFAIK our current IDN functions (idn_to_*) use ICU. Which means it
would be advantageous to keep it in the single library - whatever bugs
there may be, at least the user will be dealing with one set of bugs
instead of two :)

Indeed :)

However I am not sure yet we should do it, or at least not by default.
It may introduce side effects or BC issues.While IDN is bi-directional
or could be called many times and returning the same result, we have
to be careful to do not break things out there, for example someone
relying on it to process URI/URL.

Cheers,

Pierre

@pierrejoye | http://www.libgd.org

10 years ago by dunglas@gmail.com — view source

unread

Hi Chris,

I've just blogged about IDN support in PHP. This post include a (tiny)
userland implementation of streams:
http://dunglas.fr/2014/10/internationalized-domain-name-idn-and-php/

What do you think about the following to add native support :

As already stated, make ICU a dependency of core
Convert the host returned by php_parse_url here
https://github.com/php/php-src/blob/master/ext/standard/http_fopen_wrapper.c#L154
to Punycode with
http://icu-project.org/apiref/icu4c432/uidna_8h.html#a711fa1d2e6dd25d7368f5b3ea2aaedc6

It looks not so intrusive and relatively easy to implement. According to
RFC I quote in the blog post, it should work with SSL too. I can make a PR
(or a RFC if needed) with this method if it seems applicable.

Best regards,

2014-09-24 8:33 GMT+02:00 Pierre Joye pierre.php@gmail.com:

On Wed, Sep 24, 2014 at 2:48 AM, Stas Malyshev smalyshev@sugarcrm.com
wrote:

Hi!

I'll implement optional (and not default) support of IDN in
filter_var().

Does anyone known if it's better to use libIDN (LGPL) or ICU (custom
license deviated from the X license) from a license point of view?

ICU is definitely better since we already have a lot of code using ICU
and AFAIK our current IDN functions (idn_to_*) use ICU. Which means it
would be advantageous to keep it in the single library - whatever bugs
there may be, at least the user will be dealing with one set of bugs
instead of two :)

Indeed :)

However I am not sure yet we should do it, or at least not by default.
It may introduce side effects or BC issues.While IDN is bi-directional
or could be called many times and returning the same result, we have
to be careful to do not break things out there, for example someone
relying on it to process URI/URL.

Cheers,

Pierre

@pierrejoye | http://www.libgd.org

--
Kévin Dunglas
Consultant et développeur freelance

http://dunglas.fr
Tél. : 06 60 91 20 20

Internationalized Domain Name support in FILTER_VALIDATE_URL

--

-- Lester Caine - G8HFL

Cheers,

Cheers,

--
Lester Caine - G8HFL