Skip to content

[Validator] Add the DataUri constraint for validating Data URI content #58201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

[Validator] Add the DataUri constraint for validating Data URI content #58201

wants to merge 2 commits into from

Conversation

symfonyaml
Copy link
Contributor

Q A
Branch? 7.2
Bug fix? no
New feature? yes
Deprecations? no
Issues no
License MIT

Purpose

Inspired by the Yaml constraint, I've added a new feature to the Validator component for validating DataUri (RFC-2397) content with a dedicated constraint.

Real world use case: Having an image content encoded in base64 within a database. With this new feature, you can validate the integrity of these data, ensuring the data Uri is valid.

Exemple

namespace App\Entity;

use Symfony\Component\Validator\Constraints as Assert;

class Book
{
    #[Assert\DataUri]
    private string $cover;
}

@carsonbot carsonbot added this to the 7.2 milestone Sep 8, 2024
@OskarStark
Copy link
Contributor

OskarStark commented Sep 8, 2024
edited
Loading

You may want to check

@symfonyaml
Copy link
Contributor Author

@alexandre-daubois @nicolas-grekas Regading this comment #53360 (comment) :

Can we consider that this constraint is validating a format from an RFC (RFC-2397).

Otherwise we can close this PR then.

nicolas-grekas
nicolas-grekas reviewed Sep 11, 2024
View reviewed changes
src/Symfony/Component/Validator/Constraints/DataUriValidator.php
(?:;[\w\W]*?[^;])* # parameters
(;base64)? # encoding
,
[^$]+ # data
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is correct: the data part cannot be "anything-but-$"
Here is another regexp for your consideration:

{^data:
(?:([a-zA-Z]++/[-a-zA-Z0-9.+]++)?
(?:;[-a-zA-Z]++=[-a-zA-Z0-9.+]++)*+
(?:;?base64)?
,(?:[-a-zA-Z0-9!$&',()*+;=._~:@/?%\s]*+)
$}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nicolas-grekas thank you so much, I'll have a go...

Copy link
Member

@nicolas-grekas nicolas-grekas Sep 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that I'm not sure my regexp is correct. I often see data URI with html tags in them and this wouldn't be allowed. Looks like carefully reading the RFC might be needed :)

@nicolas-grekas
Copy link
Member

My opinion on this PR: it's complex.

Even validating only the format is difficult: what's allowed in the data part? looks like whole html documents are possible here, with just some special chars to be careful about (eh double quotes so that the data uri can be embeded in an html attribute).
Dunno if browsers strictly follow the RFC or not. That's another possible compatibility issue, with the validator false-rejecting some URIs.

E.g. https://github.com/alchemy-fr/PHP-dataURI/blob/master/src/DataURI/Parser.php accepts any data here.
Maybe we should just borrow from there and ignore the strictness of the RFC?

And last but not least, we accept data URIs but we don't validate the content? This looks useless to me, nice vector for arbitrary data injection. One should validate that this is e.g an image.

What would be useful is pairing this validator with other constraints that validate the content of the URI.

@symfonyaml
Copy link
Contributor Author

@nicolas-grekas I understand your concerns. You are right, at the end this constraint will just be a static
#[Assert\Regex] constraint anyway. And good point for data injection too.
I close this PR.
I really appreciate your feedback, thank you !

@symfonyaml symfonyaml closed this Sep 11, 2024
@symfonyaml symfonyaml deleted the feature-validator-datauri-constraint branch October 21, 2024 14:44
@OskarStark OskarStark mentioned this pull request Jan 31, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas left review comments

Assignees
No one assigned
Labels
Feature Status: Needs Review Validator
Projects
None yet
Milestone
7.2
Development

Successfully merging this pull request may close these issues.
4 participants
@symfonyaml @OskarStark @nicolas-grekas @carsonbot