fix: Invalid scheme check in Attr.TargetBlank #363
Merged
Commits on Jan 26, 2023
-
fix: Invalid scheme check in Attr.TargetBlank
When `Attr.TargetBlank` is enabled, a PHP warning is logged if an `href` attribute contains an invalid URI scheme. Normally an `href` like `javascript:void(0)` or `itms-apps://itunes.apple.com/developer/id1234567890` would be removed by the default `HTMLPurifier_Config` configuration. However, it's possible to insert a URL with an unknown context from a trusted source after filtering. For instance, an `HTMLPurifier_URIFilter` extension. This patch doesn't change any functionality or permit anything new, it simply adds error checking around `$url->getSchemeObj()` which returns `HTMLPurifier_URIScheme|false`. The `false` case is currently not handled, resulting in error log entries under PHP 8.x like the following: ~~~ Attempt to read property "browsable" on bool /PATH/TO/APP/vendor/ezyang/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php:L38 ~~~
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.