From 15ef504549a5b34bf80928387711bf4a1f81fdcb Mon Sep 17 00:00:00 2001
From: fmkorea <fmkorea@fmkorea.com>
Date: Sun, 8 Feb 2026 07:44:08 +0000
Subject: [PATCH] fix: PHP 8.1+ null parameter deprecation warnings in
 Generator.php

Add null coalescing operator (?? '') to prevent deprecation warnings
on PHP 8.1-8.4 and TypeError on PHP 8.5+ when null is passed to
built-in string functions.

Changes:
- generateAttributes(): strpos(), strcspn(), strlen() with null $value
- escape(): htmlspecialchars() with null $string
- Flash compat: $token->attr['name'] / $token->attr['value'] may not exist
---
 library/HTMLPurifier/Generator.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/library/HTMLPurifier/Generator.php b/library/HTMLPurifier/Generator.php
index 457fa905..30b0172a 100644
--- a/library/HTMLPurifier/Generator.php
+++ b/library/HTMLPurifier/Generator.php
@@ -165,7 +165,7 @@ public function generateFromToken($token)
 
         } elseif ($token instanceof HTMLPurifier_Token_Empty) {
             if ($this->_flashCompat && $token->name == "param" && !empty($this->_flashStack)) {
-                $this->_flashStack[count($this->_flashStack)-1]->param[$token->attr['name']] = $token->attr['value'];
+                $this->_flashStack[count($this->_flashStack)-1]->param[$token->attr['name'] ?? ''] = $token->attr['value'] ?? '';
             }
             $attr = $this->generateAttributes($token->attr, $token->name);
              return '<' . $token->name . ($attr ? ' ' : '') . $attr .
@@ -248,10 +248,10 @@ public function generateAttributes($assoc_array_of_attributes, $element = '')
             // don't process user input with innerHTML or you don't plan
             // on supporting Internet Explorer.
             if ($this->_innerHTMLFix) {
-                if (strpos($value, '`') !== false) {
+                if (strpos($value ?? '', '`') !== false) {
                     // check if correct quoting style would not already be
                     // triggered
-                    if (strcspn($value, '"\' <>') === strlen($value)) {
+                    if (strcspn($value ?? '', '"\' <>') === strlen($value ?? '')) {
                         // protect!
                         $value .= ' ';
                     }
@@ -279,7 +279,7 @@ public function escape($string, $quote = null)
         if ($quote === null) {
             $quote = ENT_COMPAT;
         }
-        return htmlspecialchars($string, $quote, 'UTF-8');
+        return htmlspecialchars($string ?? '', $quote, 'UTF-8');
     }
 }