Skip to content

Commit 0ef273b

Browse files
author
Antoine Beyet
committed
[HtmlSanitizer] Avoid accessing non existent array key when checking for hosts validity
fix #59524
1 parent 7f16925 commit 0ef273b

File tree

2 files changed

+10
-1
lines changed

2 files changed

+10
-1
lines changed

Tests/TextSanitizer/UrlSanitizerTest.php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -274,6 +274,15 @@ public static function provideSanitize(): iterable
274274
'expected' => null,
275275
];
276276

277+
yield [
278+
'input' => 'https://trusted.com/link.php',
279+
'allowedSchemes' => ['http', 'https'],
280+
'allowedHosts' => ['subdomain.trusted.com', 'trusted.com'],
281+
'forceHttps' => false,
282+
'allowRelative' => false,
283+
'expected' => 'https://trusted.com/link.php',
284+
];
285+
277286
// Allow relative
278287
yield [
279288
'input' => '/link.php',

TextSanitizer/UrlSanitizer.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -132,7 +132,7 @@ private static function matchAllowedHostParts(array $uriParts, array $trustedPar
132132
{
133133
// Check each chunk of the domain is valid
134134
foreach ($trustedParts as $key => $trustedPart) {
135-
if ($uriParts[$key] !== $trustedPart) {
135+
if (!array_key_exists($key, $uriParts) || $uriParts[$key] !== $trustedPart) {
136136
return false;
137137
}
138138
}

0 commit comments

Comments
 (0)