Add support for mailto schemee on League\Uri\Uri

nyamsprod · nyamsprod · commit a4a09eeb12ee · 2025-11-18T08:56:59.000+01:00
diff --git a/docs/uri/7.0/rfc3986.md b/docs/uri/7.0/rfc3986.md
@@ -146,7 +146,7 @@ $uri = Uri::new('toto://thephpleague.com/path/to?here#content');
 <p class="message-notice">For extra validation rules to be triggered the URI must be absolute and the
 scheme recognized. Otherwise, only basic RFC3986 rules are taken into account.</p>
 
-### Complete Scheme Validation
+### Scheme Validation
 
 For the following URI schemes (order alphabetically) full validation is taken into account.
 
@@ -156,8 +156,9 @@ For the following URI schemes (order alphabetically) full validation is taken in
 - http(s)
 - ws(s)
 - blob **(since version 7.6)**
+- mailto **(since version 7.6)**
 
-### URN Generic Validation
+#### URN Validation
 
 <p class="message-notice">Since version <code>7.6.0</code></p>
 
@@ -177,7 +178,7 @@ $uri = Uri::new('urn:isbn:foobar/baz');
 // possibly with hyphens only
 ~~~
 
-### Component Presence Validation
+### Component Validation
 
 <p class="message-notice">Since version <code>7.6.0</code></p>
 
@@ -186,17 +187,17 @@ and on the different RFCs and specifications for each URI scheme, a validation b
 component presence is used. For instance, the following URI will be rejected.
 
 ```php
-$uri = Uri::new('mailto:path/to?here');
+$uri = Uri::new('bitcoin:config/here');
 //will work
 
-$uri = Uri::new('mailto://thephpleague.com/path/to?here');
+$uri = Uri::new('bitcoin://thephpleague.com');
 // will throw a League\Uri\Exceptions\SyntaxError
 ```
 
-In the example, because a the `mailto` URI scheme cannot contain an authority component, an
+In the example, because a the `bitcoin` URI scheme cannot contain an authority component, an
 exception is thrown. On the other hand, the path has not been checked to validate that it only
-contained valid email addresses. According to RFC3986, the path component is valid, but it is
-not according to the [`mailto` RFC](https://www.rfc-editor.org/rfc/rfc6068.html).
+contained a valid bitcoin address. According to RFC3986, the path component is valid, but it is
+not according to the [`bitcoin` specification](https://en.bitcoin.it/wiki/BIP_0021#Accessibility_(URI_scheme_name)).
 
 The list of supported URI scheme can be found on the [UriScheme](https://github.com/thephpleague/uri-src/blob/master/uri/UriScheme.php) Enum
 available since version `7.6`.
@@ -327,7 +328,7 @@ The algorithm used is defined by the [WHATWG URL Living standard](https://url.sp
 
 ~~~php
 echo Uri::new('https://uri.thephpleague.com/uri/6.0/info/')->getOrigin(); //display 'https://uri.thephpleague.com';
-echo Uri::new('blob:https://mozilla.org:443')->getOrigin();               //display 'https://mozilla.org'
+echo Uri::new('blob:null/700475de-c453-11f0-8de9-0242ac120002')->getOrigin();               //display 'https://mozilla.org'
 Uri::new('file:///usr/bin/php')->getOrigin();                     //returns null
 Uri::new('data:text/plain,Bonjour%20le%20monde%21')->getOrigin(); //returns null
 ~~~
@@ -409,7 +410,7 @@ any leading zeros.
 
 ~~~php
 <?php
-Uri::new('blob:http://xn--bb-bjab.be./path')
+Uri::new('blob:http://xn--bb-bjab.be./700475de-c453-11f0-8de9-0242ac120002')
     ->isCrossOrigin('http://Bébé.BE./path'); // returns false
 
 Uri::new('https://example.com/123')
diff --git a/uri/CHANGELOG.md b/uri/CHANGELOG.md
@@ -48,7 +48,9 @@ All Notable changes to `League\Uri` will be documented in this file
 - `Uri` host encoding compliance to RFC3986 is improved by supporting RFC3986 encoded URI properly
 - `Uri` parsing with strings started or ended with empty string are no longer allowed
 - `Uri` space are rawurlencoded.
-- `Uri` validates URN as per RFC8141
+- `Uri` validates `urn` as per [RFC 8141](https://datatracker.ietf.org/doc/html/rfc8141)
+- `Uri` validates `mailto` scheme as per [RFC 6068](https://datatracker.ietf.org/doc/html/rfc6068)
+- `Uri` validates `blob` scheme as per [Blob Definition](https://w3c.github.io/FileAPI/#url)
 - `Uri::getPath` no longer trim the leading slashes (the `Http` class which is a PSR-7 compliant class still do!)
 
 ### Deprecated
diff --git a/uri/Uri.php b/uri/Uri.php
@@ -47,7 +47,6 @@
 use function base64_encode;
 use function basename;
 use function count;
-use function dd;
 use function dirname;
 use function explode;
 use function feof;
@@ -83,6 +82,7 @@
 use const FILTER_FLAG_IPV6;
 use const FILTER_NULL_ON_FAILURE;
 use const FILTER_VALIDATE_BOOLEAN;
+use const FILTER_VALIDATE_EMAIL;
 use const FILTER_VALIDATE_IP;
 
 /**
@@ -936,6 +936,7 @@ private function assertValidState(): void
         $schemeType = $scheme->type();
         match ($scheme) {
             UriScheme::Blob => $this->isValidBlob(),
+            UriScheme::Mailto => $this->isValidMailto(),
             UriScheme::Data,
             UriScheme::About,
             UriScheme::Javascript => $this->isUriWithSchemeAndPathOnly(),
@@ -1004,6 +1005,53 @@ private function isValidBlob(): bool
         }
     }
 
+    private function isValidMailto(): bool
+    {
+        if (null !== $this->authority || null !== $this->fragment || str_contains((string) $this->query, '?')) {
+            return false;
+        }
+
+        static $mailHeaders = [
+            'to', 'cc', 'bcc', 'reply-to', 'from', 'sender',
+            'resent-to', 'resent-cc', 'resent-bcc', 'resent-from', 'resent-sender',
+            'return-path', 'delivery-to', 'site-owner',
+        ];
+
+        static $headerRegexp = '/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/D';
+        $pairs = QueryString::parseFromValue($this->query);
+        $hasTo = false;
+        foreach ($pairs as [$name, $value]) {
+            $headerName = strtolower($name);
+            if (in_array($headerName, $mailHeaders, true)) {
+                if (null === $value || !self::validateEmailList($value)) {
+                    return false;
+                }
+
+                if (!$hasTo && 'to' === $headerName) {
+                    $hasTo = true;
+                }
+                continue;
+            }
+
+            if (1 !== preg_match($headerRegexp, (string) Encoder::decodeAll($name))) {
+                return false;
+            }
+        }
+
+        return '' === $this->path ? $hasTo : self::validateEmailList($this->path);
+    }
+
+    private static function validateEmailList(string $emails): bool
+    {
+        foreach (explode(',', $emails) as $email) {
+            if (false === filter_var((string) Encoder::decodeAll($email), FILTER_VALIDATE_EMAIL)) {
+                return false;
+            }
+        }
+
+        return '' !== $emails;
+    }
+
     /**
      * Sets the URI origin.
      *
diff --git a/uri/UriTest.php b/uri/UriTest.php
@@ -1081,4 +1081,54 @@ public function test_it_can_return_a_unicode_string_for_the_uri(): void
         self::assertSame('https://xn--bb-bjab.be', $uri->toAsciiString());
         self::assertSame('https://bébé.be', $uri->toUnicodeString());
     }
+
+    #[DataProvider('provideValidMailtoUri')]
+    public function test_it_can_validate_mailto_uri(string $uri): void
+    {
+        self::assertInstanceOf(Uri::class, Uri::parse($uri));
+    }
+
+    public static function provideValidMailtoUri(): iterable
+    {
+        yield 'basic email' => ['uri' => 'mailto:me@thephpleague.com'];
+        yield 'basic email with subject' => ['uri' => 'mailto:me@thephpleague.com?subject=Hello'];
+        yield 'basic email with body' => ['uri' => 'mailto:infobot@example.com?body=send%20current-issue'];
+        yield 'request to subscribe to a mailing list' => ['uri' => 'mailto:majordomo@example.com?body=subscribe%20bamboo-l'];
+        yield 'email including a cc' => ['uri' => 'mailto:joe@example.com?cc=bob@example.com&body=hello'];
+        yield 'email without path but a to query string name' => ['uri' => 'mailto:?to=bob@example.com&body=hello'];
+        yield 'email without path but a to query string name case insensitive' => ['uri' => 'mailto:?To=bob@example.com&body=hello'];
+        yield 'complex email are also supported' => ['uri' => "mailto:%22%5C%5C%5C%22it's%5C%20ugly%5C%5C%5C%22%22@example.org"];
+    }
+
+    #[DataProvider('provideInvalidMailtoUri')]
+    public function test_it_can_not_validate_mailto_uri(string $uri): void
+    {
+        self::assertNull(Uri::parse($uri));
+    }
+
+    public static function provideInvalidMailtoUri(): iterable
+    {
+        yield 'path does not contain a valid email' => ['uri' => 'mailto:joe'];
+        yield 'no path and no to query' => ['uri' => 'mailto:?subject=Hello'];
+        yield 'a valid email is missing with the to parameter' => ['uri' => 'mailto:?to=Hello'];
+        yield 'email query can not contains the "?" character' => ['uri' => 'mailto:joe@example.com?cc=bob@example.com?body=hello'];
+    }
+
+    public function test_it_can_edit_a_mailto_uri(): void
+    {
+        $uri = Uri::new('?Reply-To=me@example.com')
+            ->withPath('you@example.com')
+            ->withScheme('mailto')
+            ->toString();
+
+        self::assertSame('mailto:you@example.com?Reply-To=me@example.com', $uri);
+    }
+
+    public function test_it_fails_to_edit_a_mailto_uri_in_the_wrong_order(): void
+    {
+        $this->expectException(SyntaxError::class);
+
+        Uri::new('?Reply-To=me@example.com')->withScheme('mailto');
+
+    }
 }
diff --git a/uri/WsTest.php b/uri/WsTest.php
@@ -18,7 +18,7 @@
 use PHPUnit\Framework\Attributes\TestWith;
 use PHPUnit\Framework\TestCase;
 
-#[CoversClass(\League\Uri\Uri::class)]
+#[CoversClass(Uri::class)]
 #[Group('ws')]
 #[Group('uri')]
 class WsTest extends TestCase
