search

ezyang / htmlpurifier

Standards compliant HTML filter written in PHP
http://htmlpurifier.org
GNU Lesser General Public License v2.1
3.03k stars 323 forks source link

Possible E_DEPRECATED in HostBlacklist under PHP 8.1 #322

Closed Firehed closed 2 years ago

Firehed commented 2 years ago

When purifying HTML containing an anchor tag containing only the fragment component, an E_DEPRECATED error is emitted from the host blacklist if it's configured. Depending on the application config, this may get upgraded to an ErrorException and cause a crash, but that's not relevant to the underlying issue.

HTMLPurifier version: v4.14.0 (found on an earlier version but updated to latest release to be sure)

Uncaught exception: ErrorException: strpos(): Passing null to parameter #1 ($haystack) of type string is deprecated in /var/www/html/vendor/ezyang/htmlpurifier/library/HTMLPurifier/URIFilter/HostBlacklist.php:38

Simple reproduce case:

<?php
require 'vendor/autoload.php';

$pc = HTMLPurifier_Config::create([
    'HTML.Allowed' => 'a[href]',
    'URI.HostBlacklist' => [
        'example.com',
    ],
]);
$p = new HTMLPurifier($pc);

var_dump($p->purify(<<<HTML
<a href="#fn-1">Footnote </a>
HTML));

Possible fix: cast $uri->host to string on the mentioned line.

Update - related to #310 I think.

github-actions[bot] commented 1 year ago

:tada: This issue has been resolved in version 4.16.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: