search

ezyang / htmlpurifier

Standards compliant HTML filter written in PHP
http://htmlpurifier.org
GNU Lesser General Public License v2.1
3.02k stars 323 forks source link

fix: Invalid scheme check in Attr.TargetBlank #363

Closed jstanden closed 1 year ago

jstanden commented 1 year ago

When Attr.TargetBlank is enabled, a PHP warning is logged if an href attribute contains an invalid URI scheme.

Normally an href like javascript:void(0) or itms-apps://itunes.apple.com/developer/id1234567890 would be removed by the default HTMLPurifier_Config configuration.

However, it's possible to insert a URL with an unknown context from a trusted source after filtering. For instance, an HTMLPurifier_URIFilter extension.

This patch doesn't change any functionality or permit anything new, it simply adds error checking around $url->getSchemeObj() which returns HTMLPurifier_URIScheme|false.

The false case is currently not handled, resulting in error log entries under PHP 8.x like the following:

Attempt to read property "browsable" on bool /PATH/TO/APP/vendor/ezyang/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php:L38
github-actions[bot] commented 7 months ago

:tada: This PR is included in version 4.17.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: