RequestFactory: rejects invalid URL [WIP]

src/Http/RequestFactory.php

@@ -81,8 +81,12 @@ public function createHttpRequest(): Request
 		}
 
 		// path & query
+		$reChars = '#^[' . self::CHARS . ']*+\z#u';
 		$requestUrl = $_SERVER['REQUEST_URI'] ?? '/';
 		$requestUrl = preg_replace('#^\w++://[^/]++#', '', $requestUrl);
+		if (!$this->binary && (!preg_match($reChars, rawurldecode($requestUrl)) || preg_last_error())) {
+			// TODO: invalid request
+		}
 		$requestUrl = Strings::replace($requestUrl, $this->urlFilters['url']);
 		$tmp = explode('?', $requestUrl, 2);
 		$path = Url::unescape($tmp[0], '%/?#');
@@ -100,34 +104,20 @@ public function createHttpRequest(): Request
 		}
 		$url->setScriptPath($path);
 
-		// GET, POST, COOKIE
+		// POST, COOKIE
 		$useFilter = (!in_array(ini_get('filter.default'), ['', 'unsafe_raw'], true) || ini_get('filter.default_flags'));
-
-		$query = $url->getQueryParameters();
 		$post = $useFilter ? filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW) : (empty($_POST) ? [] : $_POST);
 		$cookies = $useFilter ? filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW) : (empty($_COOKIE) ? [] : $_COOKIE);
 
 		// remove invalid characters
-		$reChars = '#^[' . self::CHARS . ']*+\z#u';
 		if (!$this->binary) {
-			$list = [&$query, &$post, &$cookies];
-			foreach ($list as $key => &$val) {
-				foreach ($val as $k => $v) {
-					if (is_string($k) && (!preg_match($reChars, $k) || preg_last_error())) {
-						unset($list[$key][$k]);
-
-					} elseif (is_array($v)) {
-						$list[$key][$k] = $v;
-						$list[] = &$list[$key][$k];
-
-					} else {
-						$list[$key][$k] = (string) preg_replace('#[^' . self::CHARS . ']+#u', '', $v);
-					}
-				}
+			if (!preg_match($reChars, rawurldecode(http_build_query($post))) || preg_last_error()) {
+				$post = [];
+			}
+			if (!preg_match($reChars, rawurldecode(http_build_query($cookies))) || preg_last_error()) {
+				$cookies = [];
 			}
-			unset($list, $key, $val, $k, $v);
 		}
-		$url->setQuery($query);
 
 
 		// FILES and create FileUpload objects