Fix issue

davidperezgar · davidperezgar · commit fde76338157f · 2026-01-08T18:26:15.000+01:00
diff --git a/includes/Traits/URL_Utils.php b/includes/Traits/URL_Utils.php
@@ -23,14 +23,39 @@ trait URL_Utils {
 	 * @return bool true if the URL is valid, otherwise false.
 	 */
 	protected function is_valid_url( string $url ): bool {
-		if ( filter_var( $url, FILTER_VALIDATE_URL ) !== $url || ! str_starts_with( $url, 'http' ) ) {
+		// Must start with http or https.
+		if ( ! str_starts_with( $url, 'http' ) ) {
 			return false;
 		}
 
-		// Detect duplicated protocol (e.g., "https://http://example.com/").
+		// Parse the URL to validate its structure.
 		$parsed_url = wp_parse_url( $url );
 
-		if ( isset( $parsed_url['scheme'] ) && str_contains( substr( $url, strlen( $parsed_url['scheme'] ) + 3 ), '://' ) ) {
+		// wp_parse_url returns false on parse failure.
+		if ( false === $parsed_url || ! is_array( $parsed_url ) ) {
+			return false;
+		}
+
+		// Must have a valid scheme and host.
+		if ( empty( $parsed_url['scheme'] ) || empty( $parsed_url['host'] ) ) {
+			return false;
+		}
+
+		// Scheme must be http or https.
+		if ( ! in_array( $parsed_url['scheme'], array( 'http', 'https' ), true ) ) {
+			return false;
+		}
+
+		// Detect duplicated protocol in the host/path portion (e.g., "https://http://example.com/").
+		// Only check up to the query string to avoid false positives with URLs in query parameters.
+		$url_without_query = strtok( $url, '?' );
+		if ( false !== $url_without_query && str_contains( substr( $url_without_query, strlen( $parsed_url['scheme'] ) + 3 ), '://' ) ) {
+			return false;
+		}
+
+		// Validate host doesn't contain obviously invalid characters.
+		// Allow alphanumeric, dots, hyphens, and underscores (for localhost, etc.).
+		if ( preg_match( '/[^a-z0-9.\-_]/i', $parsed_url['host'] ) ) {
 			return false;
 		}
 
diff --git a/tests/phpunit/testdata/plugins/test-plugin-plugin-readme-valid-paypal-donate/load.php b/tests/phpunit/testdata/plugins/test-plugin-plugin-readme-valid-paypal-donate/load.php
@@ -0,0 +1,12 @@
+<?php
+/**
+ * Plugin Name: Test Plugin with Valid PayPal Donate Link
+ * Plugin URI:  https://wordpress.org/plugins/test-plugin/
+ * Description: Test plugin for valid PayPal donation URL.
+ * Version:     1.0.0
+ * Author:      plugin-check
+ * Author URI:  https://wordpress.org/plugins/test-plugin/
+ * License:     GPL-2.0+
+ * License URI: https://www.gnu.org/licenses/gpl-2.0.html
+ * Text Domain: test-plugin
+ */
diff --git a/tests/phpunit/testdata/plugins/test-plugin-plugin-readme-valid-paypal-donate/readme.txt b/tests/phpunit/testdata/plugins/test-plugin-plugin-readme-valid-paypal-donate/readme.txt
@@ -0,0 +1,13 @@
+=== Test Plugin with Valid PayPal Donate Link ===
+
+Contributors:      plugin-check
+Requires at least: 6.0
+Tested up to:      6.1
+Requires PHP:      5.6
+Stable tag:        1.0.0
+License:           GPLv2 or later
+License URI:       https://www.gnu.org/licenses/gpl-2.0.html
+Donate Link:       https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=developer@gmail.com&item_name=WordPress%20Plugin%20Donation&return=https://wordpress.org/plugins/my-plugin/
+Tags:              tag1, testing, security
+
+Here is a short description of the plugin.
diff --git a/tests/phpunit/tests/Checker/Checks/Plugin_Readme_Check_Tests.php b/tests/phpunit/tests/Checker/Checks/Plugin_Readme_Check_Tests.php
@@ -652,6 +652,25 @@ public function test_run_with_discouraged_donate_link() {
 		$this->assertCount( 1, wp_list_filter( $errors['readme.txt'][0][0], array( 'code' => 'readme_invalid_donate_link_domain' ) ) );
 	}
 
+	public function test_run_with_valid_paypal_donate_link() {
+		$check         = new Plugin_Readme_Check();
+		$check_context = new Check_Context( UNIT_TESTS_PLUGIN_DIR . 'test-plugin-plugin-readme-valid-paypal-donate/load.php' );
+		$check_result  = new Check_Result( $check_context );
+
+		$check->run( $check_result );
+
+		$errors = $check_result->get_errors();
+
+		// Should not have invalid donate link error for PayPal URLs with complex query strings.
+		if ( isset( $errors['readme.txt'] ) && isset( $errors['readme.txt'][0][0] ) ) {
+			$invalid_donate_link_errors = wp_list_filter( $errors['readme.txt'][0][0], array( 'code' => 'readme_invalid_donate_link' ) );
+			$this->assertEmpty( $invalid_donate_link_errors, 'PayPal donation URL with complex query string should be recognized as valid' );
+		} else {
+			// If no errors at all, that's also fine - the URL is valid.
+			$this->assertTrue( true );
+		}
+	}
+
 	public function test_run_language_detection_with_non_english_content() {
 		$check         = new Plugin_Readme_Check();
 		$check_context = new Check_Context( UNIT_TESTS_PLUGIN_DIR . 'test-plugin-plugin-readme-errors-language/load.php' );
diff --git a/tests/phpunit/tests/Traits/URL_Utils_Tests.php b/tests/phpunit/tests/Traits/URL_Utils_Tests.php
@@ -26,6 +26,11 @@ public function data_url_items() {
 			array( 'https://example.com/page.html', true ),
 			array( 'https://http://example.com/', false ),
 			array( 'ftp://example.com/file.txt', false ),
+			// PayPal donation URLs with complex query strings.
+			array( 'https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=developer@gmail.com&item_name=WordPress%20Plugin%20Donation&return=https://wordpress.org/plugins/my-plugin/', true ),
+			array( 'https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=test@example.com&item_name=Support%20My%20Plugin', true ),
+			array( 'https://paypal.me/username/5USD', true ),
+			array( 'https://www.paypal.com/donate/?hosted_button_id=123456', true ),
 		);
 	}
 
