fix: Invalid scheme check in Attr.TargetBlank (#363)

2024-12-22 08:21:52 +00:00 · 2023-01-26 16:06:28 -08:00 · 2023-01-26 16:06:28 -08:00 · 0176ef4bb6
commit 0176ef4bb6
parent 78a9b4d0da
1 changed files with 5 additions and 1 deletions
--- a/library/HTMLPurifier/AttrTransform/TargetBlank.php
+++ b/library/HTMLPurifier/AttrTransform/TargetBlank.php
@ -33,7 +33,11 @@ class HTMLPurifier_AttrTransform_TargetBlank extends HTMLPurifier_AttrTransform

        // XXX Kind of inefficient
        $url = $this->parser->parse($attr['href']);
-        $scheme = $url->getSchemeObj($config, $context);
+        
+        // Ignore invalid schemes (e.g. `javascript:`)
+        if (!($scheme = $url->getSchemeObj($config, $context))) {
+            return $attr;
+        }

        if ($scheme->browsable && !$url->isBenign($config, $context)) {
            $attr['target'] = '_blank';