In search of the perfect URL validation regex

To clarify, I’m looking for a decent regular expression to validate URLs that were entered as user input with. I have no interest in parsing a list of URLs from a given string of text (even though some of the regexes on this page are capable of doing that). I also don’t want to allow every possible technically valid URL — quite the opposite. See the URL Standard if you’re looking to parse URLs in the same way that browsers do.

Assume that this regex will be used for a public URL shortener written in PHP, so URLs like http://localhost/, //foo.bar/, ://foo.bar/, data:text/plain;charset=utf-8,OHAI and tel:+1234567890 shouldn’t pass (even though they’re technically valid). Also, in this case I only want to allow the HTTP, HTTPS and FTP protocols.

Also, single weird leading and/or trailing characters aren’t tested for. Just imagine you’re doing this before testing $url with the regex:

$url = trim($url, '!"#$%&\'()*+,-./@:;<=>[\\]^_`{|}~');

Note that I’ve added the S modifier to all the regexes to speed up the tests. In real-world usage, this modifier can be omitted.

Here’s a plain text list of all the URLs used in the test.

Diego Perini posted his version as a gist.

URL	Spoon Library	@krijnhoetmer	@gruber	@gruber v2	@cowboy	Jeffrey Friedl	@mattfarina	@stephenhay	@scottgonzales	@rodneyrehm	@imme_emosol	@diegoperini	Using filter_var()
These URLs should match (1 → correct)
http://foo.com/blah_blah	1	1	1	1	1	1	1	1	1	1	1	1	1
http://foo.com/blah_blah/	1	1	1	1	1	1	1	1	1	1	1	1	1
http://foo.com/blah_blah_(wikipedia)	1	1	1	1	1	1	1	1	1	0	1	1	1
http://foo.com/blah_blah_(wikipedia)_(again)	1	1	1	1	1	1	1	1	1	0	1	1	1
http://www.example.com/wpstyle/?p=364	1	1	1	1	1	1	1	1	1	1	1	1	1
https://www.example.com/foo/?bar=baz&inga=42&quux	1	1	1	1	1	1	1	1	1	1	1	1	1
http://✪df.ws/123	0	0	1	1	1	1	0	1	1	1	1	1	0
http://userid:password@example.com:8080	0	1	1	1	1	0	1	1	1	1	1	1	1
http://userid:password@example.com:8080/	0	1	1	1	1	0	1	1	1	1	1	1	1
http://userid@example.com	0	1	1	1	1	0	1	1	1	1	1	1	1
http://userid@example.com/	0	1	1	1	1	0	1	1	1	1	1	1	1
http://userid@example.com:8080	0	1	1	1	1	0	1	1	1	1	1	1	1
http://userid@example.com:8080/	0	1	1	1	1	0	1	1	1	1	1	1	1
http://userid:password@example.com	0	1	1	1	1	0	1	1	1	1	1	1	1
http://userid:password@example.com/	0	1	1	1	1	0	1	1	1	1	1	1	1
http://142.42.1.1/	0	1	1	1	1	1	1	1	1	1	1	1	1
http://142.42.1.1:8080/	0	1	1	1	1	1	1	1	1	1	1	1	1
http://➡.ws/䨹	0	0	1	1	1	0	0	1	1	0	1	1	0
http://⌘.ws	0	0	1	1	1	0	0	1	1	1	1	1	0
http://⌘.ws/	0	0	1	1	1	0	0	1	1	1	1	1	0
http://foo.com/blah_(wikipedia)#cite-1	1	1	1	1	1	1	1	1	1	1	1	1	1
http://foo.com/blah_(wikipedia)_blah#cite-1	1	1	1	1	1	1	1	1	1	1	1	1	1
http://foo.com/unicode_(✪)_in_parens	1	1	1	1	1	1	0	1	1	1	1	1	0
http://foo.com/(something)?after=parens	1	1	1	1	1	1	1	1	1	1	1	1	1
http://☺.damowmow.com/	0	1	1	1	1	0	0	1	1	1	1	1	0
http://code.google.com/events/#&product=browser	1	1	1	1	1	1	1	1	1	1	1	1	1
http://j.mp	1	1	1	1	1	1	1	1	1	1	1	1	1
ftp://foo.bar/baz	0	0	1	1	1	1	1	1	1	1	1	1	1
http://foo.bar/?q=Test%20URL-encoded%20stuff	0	1	1	1	1	1	1	1	1	1	1	1	1
http://مثال.إختبار	0	0	1	1	1	0	0	1	1	0	1	1	0
http://例子.测试	0	0	1	1	1	0	0	1	1	0	1	1	0
http://उदाहरण.परीक्षा	0	0	1	1	1	0	0	1	1	0	1	1	0
http://-.~_!$&'()*+,;=:%40:80%2f::::::@example.com	0	1	0	1	1	0	0	1	1	1	1	1	1
http://1337.net	1	1	1	1	1	1	1	1	1	1	1	1	1
http://a.b-c.de	1	1	1	1	1	1	1	1	1	1	0	1	1
http://223.255.255.254	0	1	1	1	1	1	1	1	1	1	1	1	1
These URLs should fail (0 → correct)
http://	0	0	0	0	0	0	0	0	1	0	0	0	0
http://.	0	0	0	0	1	0	1	0	1	0	0	0	0
http://..	0	0	0	0	1	0	1	0	1	0	0	0	0
http://../	0	1	1	1	1	0	1	0	1	1	0	0	0
http://?	0	0	0	0	1	0	0	0	1	0	0	0	0
http://??	0	0	0	0	1	0	0	0	1	0	0	0	0
http://??/	0	1	1	1	1	0	0	0	1	1	0	0	0
http://#	0	0	0	1	1	0	0	0	1	1	0	0	0
http://##	0	1	0	1	1	0	0	0	1	1	0	0	0
http://##/	0	1	1	1	1	0	0	0	1	1	0	0	0
http://foo.bar?q=Spaces should be encoded	0	1	1	1	1	1	0	0	1	1	0	0	0
//	0	0	0	0	0	0	0	0	0	0	0	0	0
//a	0	0	0	0	0	0	0	0	0	0	0	0	0
///a	0	0	0	0	0	0	0	0	0	0	0	0	0
///	0	0	0	0	0	0	0	0	0	0	0	0	0
http:///a	0	1	1	1	1	0	0	0	1	1	0	0	0
foo.com	0	0	0	0	1	0	0	0	0	0	0	0	0
rdar://1234	0	0	1	1	1	0	1	0	1	0	0	0	1
h://test	0	0	1	0	1	0	1	0	1	0	0	0	1
http:// shouldfail.com	0	0	0	0	1	0	0	0	1	1	0	0	0
:// should fail	0	0	0	0	0	0	0	0	0	0	0	0	0
http://foo.bar/foo(bar)baz quux	0	1	1	1	1	1	0	0	1	1	0	0	0
ftps://foo.bar/	0	0	1	1	1	0	1	0	1	0	0	0	1
http://-error-.invalid/	0	1	1	1	1	1	1	1	1	1	0	0	0
http://a.b--c.de/	1	1	1	1	1	1	1	1	1	1	0	0	1
http://-a.b.co	1	1	1	1	1	1	1	1	1	1	0	0	0
http://a.b-.co	1	1	1	1	1	1	1	1	1	1	0	0	1
http://0.0.0.0	0	1	1	1	1	1	1	1	1	1	1	0	1
http://10.1.1.0	0	1	1	1	1	1	1	1	1	1	1	0	1
http://10.1.1.255	0	1	1	1	1	1	1	1	1	1	1	0	1
http://224.1.1.1	0	1	1	1	1	1	1	1	1	1	1	0	1
http://1.1.1.1.1	0	1	1	1	1	1	1	1	1	1	1	0	1
http://123.123.123	0	1	1	1	1	1	1	1	1	1	1	0	1
http://3628126748	0	1	1	1	1	0	1	1	1	1	1	0	1
http://.www.foo.bar/	0	1	1	1	1	0	1	0	1	1	0	0	0
http://www.foo.bar./	0	1	1	1	1	1	1	1	1	1	1	0	0
http://.www.foo.bar./	0	1	1	1	1	0	1	0	1	1	0	0	0
http://10.1.1.1	0	1	1	1	1	1	1	1	1	1	1	0	1
http://10.1.1.254	0	1	1	1	1	1	1	1	1	1	1	0	1

Spoon Library (979 chars)

/(((http|ftp|https):\/{2})+(([0-9a-z_-]+\.)+(aero|asia|biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel|ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|ax|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cx|cy|cz|cz|de|dj|dk|dm|do|dz|ec|ee|eg|er|es|et|eu|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|me|mg|mh|mk|ml|mn|mn|mo|mp|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|nom|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ra|rs|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sj|sk|sl|sm|sn|so|sr|st|su|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tl|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw|arpa)(:[0-9]+)?((\/([~0-9a-zA-Z\#\+\%@\.\/_-]+))?(\?[0-9a-zA-Z\+\%@\/&\[\];=_-]+)?)?))\b/imuS

@krijnhoetmer (115 chars)

_(^|[\s.:;?\-\]<\(])(https?://[-\w;/?:@&=+$\|\_.!~*\|'()\[\]%#,☺]+[\w/#](\(\))?)(?=$|[\s',\|\(\).:;?\-\[\]>\)])_i

@gruber (71 chars)

#\b(([\w-]+://?|www[.])[^\s()<>]+(?:\([\w\d]+\)|([^[:punct:]\s]|/)))#iS

@gruber v2 (218 chars)

#(?i)\b((?:[a-z][\w-]+:(?:/{1,3}|[a-z0-9%])|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:'".,<>?«»“”‘’]))#iS

@cowboy (1241 chars)

~(?:\b[a-z\d.-]+://[^<>\s]+|\b(?:(?:(?:[^\s!@#$%^&*()_=+[\]{}\|;:'",.<>/?]+)\.)+(?:ac|ad|aero|ae|af|ag|ai|al|am|an|ao|aq|arpa|ar|asia|as|at|au|aw|ax|az|ba|bb|bd|be|bf|bg|bh|biz|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|cat|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|coop|com|co|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|edu|ee|eg|er|es|et|eu|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gg|gh|gi|gl|gm|gn|gov|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|info|int|in|io|iq|ir|is|it|je|jm|jobs|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|me|mg|mh|mil|mk|ml|mm|mn|mobi|mo|mp|mq|mr|ms|mt|museum|mu|mv|mw|mx|my|mz|name|na|nc|net|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|org|pa|pe|pf|pg|ph|pk|pl|pm|pn|pro|pr|ps|pt|pw|py|qa|re|ro|rs|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|su|sv|sy|sz|tc|td|tel|tf|tg|th|tj|tk|tl|tm|tn|to|tp|travel|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|xn--0zwm56d|xn--11b5bs3a9aj6g|xn--80akhbyknj4f|xn--9t4b11yi5a|xn--deba0ad|xn--g6w251d|xn--hgbk6aj7f53bba|xn--hlcj6aya9esc7a|xn--jxalpdlp|xn--kgbechtv|xn--zckzah|ye|yt|yu|za|zm|zw)|(?:(?:[0-9]|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5])\.){3}(?:[0-9]|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]))(?:[;/][^#?<>\s]*)?(?:\?[^#<>\s]*)?(?:#[^<>\s]*)?(?!\w))~iS

Jeffrey Friedl (241 chars)

@\b((ftp|https?)://[-\w]+(\.\w[-\w]*)+|(?:[a-z0-9](?:[-a-z0-9]*[a-z0-9])?\.)+(?: com\b|edu\b|biz\b|gov\b|in(?:t|fo)\b|mil\b|net\b|org\b|[a-z][a-z]\b))(\:\d+)?(/[^.!,?;"'<>()\[\]{}\s\x7F-\xFF]*(?:[.!,?]+[^.!,?;"'<>()\[\]{}\s\x7F-\xFF]+)*)?@iS

@mattfarina (287 chars)

/^([a-z][a-z0-9\*\-\.]*):\/\/(?:(?:(?:[\w\.\-\+!$&'\(\)*\+,;=]|%[0-9a-f]{2})+:)*(?:[\w\.\-\+%!$&'\(\)*\+,;=]|%[0-9a-f]{2})+@)?(?:(?:[a-z0-9\-\.]|%[0-9a-f]{2})+|(?:\[(?:[0-9a-f]{0,4}:)*(?:[0-9a-f]{0,4})\]))(?::[0-9]+)?(?:[\/|\?](?:[\w#!:\.\?\+=&@!$'~*,;\/\(\)\[\]\-]|%[0-9a-f]{2})*)?$/xiS

@stephenhay (38 chars)

@^(https?|ftp)://[^\s/$.?#].[^\s]*$@iS

@scottgonzales (1347 chars)

#([a-z]([a-z]|\d|\+|-|\.)*):(\/\/(((([a-z]|\d|-|\.|_|~|[\x00A0-\xD7FF\xF900-\xFDCF\xFDF0-\xFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:)*@)?((\[(|(v[\da-f]{1,}\.(([a-z]|\d|-|\.|_|~)|[!\$&'\(\)\*\+,;=]|:)+))\])|((\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5]))|(([a-z]|\d|-|\.|_|~|[\x00A0-\xD7FF\xF900-\xFDCF\xFDF0-\xFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=])*)(:\d*)?)(\/(([a-z]|\d|-|\.|_|~|[\x00A0-\xD7FF\xF900-\xFDCF\xFDF0-\xFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)*)*|(\/((([a-z]|\d|-|\.|_|~|[\x00A0-\xD7FF\xF900-\xFDCF\xFDF0-\xFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)+(\/(([a-z]|\d|-|\.|_|~|[\x00A0-\xD7FF\xF900-\xFDCF\xFDF0-\xFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)*)*)?)|((([a-z]|\d|-|\.|_|~|[\x00A0-\xD7FF\xF900-\xFDCF\xFDF0-\xFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)+(\/(([a-z]|\d|-|\.|_|~|[\x00A0-\xD7FF\xF900-\xFDCF\xFDF0-\xFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)*)*)|((([a-z]|\d|-|\.|_|~|[\x00A0-\xD7FF\xF900-\xFDCF\xFDF0-\xFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)){0})(\?((([a-z]|\d|-|\.|_|~|[\x00A0-\xD7FF\xF900-\xFDCF\xFDF0-\xFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)|[\xE000-\xF8FF]|\/|\?)*)?(\#((([a-z]|\d|-|\.|_|~|[\x00A0-\xD7FF\xF900-\xFDCF\xFDF0-\xFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)|\/|\?)*)?#iS

@rodneyrehm (109 chars)

#((https?://|ftp://|www\.|[^\s:=]+@www\.).*?[a-z_\/0-9\-\#=&])(?=(\.|,|;|\?|\!)?("|'|«|»|\[|\s|\r|\n|$))#iS

@imme_emosol (54 chars)

@(https?|ftp)://(-\.)?([^\s/?\.#-]+\.?)+(/[^\s]*)?$@iS

@diegoperini (502 chars)

_^(?:(?:https?|ftp)://)(?:\S+(?::\S*)?@)?(?:(?!10(?:\.\d{1,3}){3})(?!127(?:\.\d{1,3}){3})(?!169\.254(?:\.\d{1,3}){2})(?!192\.168(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)*(?:\.(?:[a-z\x{00a1}-\x{ffff}]{2,})))(?::\d{2,5})?(?:/[^\s]*)?$_iuS

— Mathias