php version guide

PHP 8.5 URI Extension

PHP 8.5 includes an always-available URI extension for parsing and manipulating URIs and URLs. It provides separate RFC 3986 and WHATWG-oriented APIs because those standards serve different use cases.

Changes Worth Recognising

Use Uri\Rfc3986\Uri when RFC 3986 URI semantics fit the boundary.
Use Uri\WhatWg\Url when browser-style URL behaviour is required.
Treat a syntactically valid URI as untrusted input: validation is not authorisation.
Allow-list schemes and hosts before fetching remote resources or redirecting users.

Parse a URI

PHP example

<?php

use Uri\Rfc3986\Uri;

$uri = new Uri('https://example.com/products?page=2');
echo $uri->getHost() . PHP_EOL;
echo $uri->getPath() . PHP_EOL;

// Prints:
// example.com
// /products

Upgrade Review

Do not use successful parsing as an SSRF defence.
Test encoded, relative, and unusual input forms relevant to the boundary.
Keep redirect and outbound-request allow-lists explicit.

The extension improves parsing, but application-specific trust decisions remain application code.

Practice

Inspect an Allowed Redirect

Parse an HTTPS redirect URI, print its host, and describe the allow-list check needed before redirecting a user.

Show solution

Parse with the chosen URI class, require the expected scheme, and compare the normalised host against an explicit allow-list. Parsing alone is insufficient.