Skip to content

fix: Invalid scheme check in Attr.TargetBlank#363

Merged
ezyang merged 1 commit intoezyang:masterfrom
jstanden:jstanden-patch-1
Jan 27, 2023
Merged

fix: Invalid scheme check in Attr.TargetBlank#363
ezyang merged 1 commit intoezyang:masterfrom
jstanden:jstanden-patch-1

Conversation

@jstanden
Copy link
Copy Markdown
Contributor

@jstanden jstanden commented Jan 26, 2023
edited
Loading

When Attr.TargetBlank is enabled, a PHP warning is logged if an href attribute contains an invalid URI scheme.

Normally an href like javascript:void(0) or itms-apps://itunes.apple.com/developer/id1234567890 would be removed by the default HTMLPurifier_Config configuration.

However, it's possible to insert a URL with an unknown context from a trusted source after filtering. For instance, an HTMLPurifier_URIFilter extension.

This patch doesn't change any functionality or permit anything new, it simply adds error checking around $url->getSchemeObj() which returns HTMLPurifier_URIScheme|false.

The false case is currently not handled, resulting in error log entries under PHP 8.x like the following:

Attempt to read property "browsable" on bool /PATH/TO/APP/vendor/ezyang/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php:L38

@jstanden
fix: Invalid scheme check in Attr.TargetBlank
8e66aa1 
When `Attr.TargetBlank` is enabled, a PHP warning is logged if an `href` attribute contains an invalid URI scheme.

Normally an `href` like `javascript:void(0)` or `itms-apps://itunes.apple.com/developer/id1234567890` would be removed by the default `HTMLPurifier_Config` configuration.

However, it's possible to insert a URL with an unknown context from a trusted source after filtering. For instance, an `HTMLPurifier_URIFilter` extension.

This patch doesn't change any functionality or permit anything new, it simply adds error checking around `$url->getSchemeObj()` which returns `HTMLPurifier_URIScheme|false`.

The `false` case is currently not handled, resulting in error log entries under PHP 8.x like the following:

~~~
Attempt to read property "browsable" on bool /PATH/TO/APP/vendor/ezyang/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php:L38
~~~
@ezyang ezyang merged commit 0176ef4 into ezyang:master Jan 27, 2023
@jstanden jstanden deleted the jstanden-patch-1 branch January 27, 2023 00:33
github-actions Bot pushed a commit that referenced this pull request Nov 17, 2023
@semantic-release-bot
chore(release): 4.17.0 [skip ci]
bbc513d 
# [4.17.0](v4.16.0...v4.17.0) (2023-11-17)

### Bug Fixes

* CSSTidy ImportantComments not handled properly ([#359](#359)) ([78a9b4d](78a9b4d))
* fix CI ([#361](#361)) ([9ec687c](9ec687c))
* Invalid scheme check in Attr.TargetBlank ([#363](#363)) ([0176ef4](0176ef4))
* semantic release ([#339](#339)) ([d82f3d9](d82f3d9))
* semantic release ([#341](#341)) ([e55fead](e55fead)), closes [#339](#339)
* Support for locales using decimal separators other than . (dot) ([#372](#372)) ([43f49ac](43f49ac))

### Features

* Add support for all text-decoration properties ([#360](#360)) ([2d775c0](2d775c0))
* Allows commas to be included in tel URI ([#389](#389)) ([ec92490](ec92490)), closes [#388](#388)

### Reverts

* Revert "fix: semantic release (#339)" (#340) ([3e83215](3e83215)), closes [#339](#339) [#340](#340)
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Nov 17, 2023

🎉 This PR is included in version 4.17.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ezyang ezyang ezyang approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jstanden @ezyang