diff --git a/README.md b/README.md
index 25af675ed..a4840e7ea 100644
--- a/README.md
+++ b/README.md
@@ -155,7 +155,7 @@ Validator | Description
**isSlug** | Check if the string is of type slug. `Options` allow a single hyphen between string. e.g. [`cn-cn`, `cn-c-c`]
**isStrongPassword(str [, options])** | Check if a password is strong or not. Allows for custom requirements or scoring rules. If `returnScore` is true, then the function returns an integer score for the password rather than a boolean.
Default options:
`{ minLength: 8, minLowercase: 1, minUppercase: 1, minNumbers: 1, minSymbols: 1, returnScore: false, pointsPerUnique: 1, pointsPerRepeat: 0.5, pointsForContainingLower: 10, pointsForContainingUpper: 10, pointsForContainingNumber: 10, pointsForContainingSymbol: 10 }`
**isTaxID(str, locale)** | Check if the given value is a valid Tax Identification Number. Default locale is `en-US`.
More info about exact TIN support can be found in `src/lib/isTaxID.js`
Supported locales: `[ 'bg-BG', 'cs-CZ', 'de-AT', 'de-DE', 'dk-DK', 'el-CY', 'el-GR', 'en-GB', 'en-IE', 'en-US', 'es-ES', 'et-EE', 'fi-FI', 'fr-BE', 'fr-FR', 'fr-LU', 'hr-HR', 'hu-HU', 'it-IT', 'lb-LU', 'lt-LT', 'lv-LV' 'mt-MT', 'nl-BE', 'nl-NL', 'pl-PL', 'pt-BR', 'pt-PT', 'ro-RO', 'sk-SK', 'sl-SI', 'sv-SE' ]`
-**isURL(str [, options])** | check if the string is an URL.
`options` is an object which defaults to `{ protocols: ['http','https','ftp'], require_tld: true, require_protocol: false, require_host: true, require_port: false, require_valid_protocol: true, allow_underscores: false, host_whitelist: false, host_blacklist: false, allow_trailing_dot: false, allow_protocol_relative_urls: false, disallow_auth: false, validate_length: true }`.
require_protocol - if set as true isURL will return false if protocol is not present in the URL.
require_valid_protocol - isURL will check if the URL's protocol is present in the protocols option.
protocols - valid protocols can be modified with this option.
require_host - if set as false isURL will not check if host is present in the URL.
require_port - if set as true isURL will check if port is present in the URL.
allow_protocol_relative_urls - if set as true protocol relative URLs will be allowed.
validate_length - if set as false isURL will skip string length validation (2083 characters is IE max URL length).
+**isURL(str [, options])** | check if the string is an URL.
`options` is an object which defaults to `{ protocols: ['http','https','ftp'], require_tld: true, require_protocol: false, require_host: true, require_port: false, require_valid_protocol: true, allow_underscores: false, host_whitelist: false, host_blacklist: false, allow_trailing_dot: false, allow_protocol_relative_urls: false, allow_fragments: true, allow_query_components: true, disallow_auth: false, validate_length: true }`.
require_protocol - if set as true isURL will return false if protocol is not present in the URL.
require_valid_protocol - isURL will check if the URL's protocol is present in the protocols option.
protocols - valid protocols can be modified with this option.
require_host - if set as false isURL will not check if host is present in the URL.
require_port - if set as true isURL will check if port is present in the URL.
allow_protocol_relative_urls - if set as true protocol relative URLs will be allowed.
allow_fragments - if set as false isURL will return false if fragments are present.
allow_query_components - if set as false isURL will return false if query components are present.
validate_length - if set as false isURL will skip string length validation (2083 characters is IE max URL length).
**isUUID(str [, version])** | check if the string is a UUID (version 3, 4 or 5).
**isVariableWidth(str)** | check if the string contains a mixture of full and half-width chars.
**isVAT(str, countryCode)** | checks that the string is a [valid VAT number](https://en.wikipedia.org/wiki/VAT_identification_number) if validation is available for the given country code matching [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).
Available country codes: `[ 'GB', 'IT' ]`.
diff --git a/src/lib/isURL.js b/src/lib/isURL.js
index 4306e5deb..254297377 100644
--- a/src/lib/isURL.js
+++ b/src/lib/isURL.js
@@ -28,6 +28,8 @@ const default_url_options = {
allow_underscores: false,
allow_trailing_dot: false,
allow_protocol_relative_urls: false,
+ allow_fragments: true,
+ allow_query_components: true,
validate_length: true,
};
@@ -61,6 +63,14 @@ export default function isURL(url, options) {
return false;
}
+ if (!options.allow_fragments && url.includes('#')) {
+ return false;
+ }
+
+ if (!options.allow_query_components && (url.includes('?') || url.includes('&'))) {
+ return false;
+ }
+
let protocol, auth, host, hostname, port, port_str, split, ipv6;
split = url.split('#');
diff --git a/test/validators.js b/test/validators.js
index 6bb607282..fd6dc2e23 100644
--- a/test/validators.js
+++ b/test/validators.js
@@ -541,6 +541,42 @@ describe('Validators', () => {
});
});
+ it('should not validate URLs with fragments when allow fragments is false', () => {
+ test({
+ validator: 'isURL',
+ args: [{
+ allow_fragments: false,
+ }],
+ valid: [
+ 'http://foobar.com',
+ 'foobar.com',
+ ],
+ invalid: [
+ 'http://foobar.com#part',
+ 'foobar.com#part',
+ ],
+ });
+ });
+
+ it('should not validate URLs with query components when allow query components is false', () => {
+ test({
+ validator: 'isURL',
+ args: [{
+ allow_query_components: false,
+ }],
+ valid: [
+ 'http://foobar.com',
+ 'foobar.com',
+ ],
+ invalid: [
+ 'http://foobar.com?foo=bar',
+ 'http://foobar.com?foo=bar&bar=foo',
+ 'foobar.com?foo=bar',
+ 'foobar.com?foo=bar&bar=foo',
+ ],
+ });
+ });
+
it('should not validate protocol relative URLs when require protocol is true', () => {
test({
validator: 'isURL',