search

ezyang / htmlpurifier

Standards compliant HTML filter written in PHP
http://htmlpurifier.org
GNU Lesser General Public License v2.1
3.03k stars 323 forks source link

"Trying to get property 'browsable' of non-object" in HTMLPurifier_AttrTransform_* methods, because parse or getSchemeObj of HTMLPurifier_URIParser can return false #343

Open alexander-xyz opened 1 year ago

alexander-xyz commented 1 year ago

Hi! I have an PHP error "Trying to get property 'browsable' of non-object" when I execute code in HTMLPurifier_AttrTransform_TargetBlank and HTMLPurifier_AttrTransform_Nofollow, because, they don't check results of

(new HTMLPurifier_URIParser())->parse (can return false)
(new HTMLPurifier_URIParser())->parse->getSchemeObj (also can return false)

for false value. Methods suggest, that only object can be returned.

$url = $this->parser->parse($attr['href']);
$scheme = $url->getSchemeObj($config, $context);

if ($scheme->browsable && !$url->isLocal($config, $context)) {

need replace to something like that:

$url = $this->parser->parse($attr['href']);
if(!$url) return $attr;
$scheme = $url->getSchemeObj($config, $context);
if(!$scheme) return $attr;
if ($scheme->browsable && !$url->isLocal($config, $context)) {

You can test purify on html like this:

<a href="javascript:">some text</a>

My config for new HTMLPurifier:

$config = HTMLPurifier_Config::createDefault();
$config->set("HTML.Nofollow", true);
$config->set("HTML.TargetNoreferrer", true);
$config->set("HTML.TargetNoopener", true);
$config->set("HTML.TargetBlank", true);
$config->set('Attr.EnableID', true);
$def = $config->getHTMLDefinition(true);
$def->addAttribute('img', 'src', new ParameterURIDefinition($this->whiteListedResources));
$def->addAttribute('div', 'data-react', new \HTMLPurifier_AttrDef_Text());
$def->addAttribute('a', 'href', new \HTMLPurifier_AttrDef_Text());