Early filter invalid hosts in wp_http_validate_url()

[manhphuc]

Trac ticket: https://core.trac.wordpress.org/ticket/64457

Adds early hostname validation using the Filter extension when available, while falling back to the existing behavior when it’s not. Includes a test case for underscore hostnames.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props manhphucofficial, westonruter, sirlouen.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[github-actions]

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

• The Plugin and Theme Directories cannot be accessed within Playground.
• All changes will be lost when closing a tab with a Playground instance.
• All changes will be lost when refreshing the page.
• A fresh instance is created each time the link below is clicked.
• Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
  it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

[manhphuc]

Thanks for the review!

I’ve updated the patch to address all the points raised:

• hostname validation now only applies when the host is not an IPv4 address
• removed the FILTER_VALIDATE_IP check and related constant assumptions
• added test coverage for underscores in hostnames

Please let me know if anything should be adjusted further. Appreciate you taking a look!

[manhphuc]

Thanks for the feedback!

I’ve updated the patch to address all the points:

• switched the check to extension_loaded( 'filter' ) as suggested
• kept IPv4 handling separate to avoid affecting IP-based hosts
• added a test case for a valid IP host (https://1.1.1.1/)

Happy to adjust further if there’s anything else you’d like me to refine.

[westonruter]

@SirLouen what do you think?

[SirLouen]

@manhphuc I think you are shortcircuiting a little late
We have the $parse_url['host'] available much earlier.

Also, ipv4 will return a truthy value, so doing this won't be disruptive for such addresses
https://3v4l.org/Jau1h

I recommend you to debug a bit to set it in the best place. See what kind of values you are receiving earlier.

[manhphuc]

Thanks for the suggestion!

I’ve moved the IPv4 detection to right after normalizing $host, so it’s available earlier and reused in the ! $same_host branch. This keeps the behavior unchanged for IPv4 addresses, while avoiding the later short-circuit.

Let me know if you’d prefer it even earlier in the function.