From 099d8397c991316d9213304aa428c5c2824e3c5b Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Mon, 11 Jul 2022 21:55:09 +0900
Subject: [PATCH] Prevent path conversion of data: URL in <img> tag

---
 classes/template/TemplateHandler.class.php | 4 ++--
 tests/unit/classes/TemplateHandlerTest.php | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/classes/template/TemplateHandler.class.php b/classes/template/TemplateHandler.class.php
index ae04423a0..5f332f2ec 100644
--- a/classes/template/TemplateHandler.class.php
+++ b/classes/template/TemplateHandler.class.php
@@ -269,7 +269,7 @@ class TemplateHandler
 		$buff = preg_replace('@<!--//.*?-->@s', '', $buff);
 
 		// replace value of src in img/input/script tag
-		$buff = preg_replace_callback('/<(?:img|input|script)(?:[^<>]*?)(?(?=cond=")(?:cond="[^"]+"[^<>]*)+|)[^<>]* src="(?!(?:https?|file):\/\/|[\/\{])([^"]+)"/is', array($this, '_replacePath'), $buff);
+		$buff = preg_replace_callback('/<(?:img|input|script)(?:[^<>]*?)(?(?=cond=")(?:cond="[^"]+"[^<>]*)+|)[^<>]* src="(?!(?:https?|file|data):|[\/\{])([^"]+)"/is', array($this, '_replacePath'), $buff);
 
 		// replace value of srcset in img/source/link tag
 		$buff = preg_replace_callback('/<(?:img|source|link)(?:[^<>]*?)(?(?=cond=")(?:cond="[^"]+"[^<>]*)+|)[^<>]* srcset="([^"]+)"/is', array($this, '_replaceSrcsetPath'), $buff);
@@ -503,7 +503,7 @@ class TemplateHandler
 		foreach ($url_list as &$url) {
 			// replace if url is not starting with the pattern
 			$url = preg_replace_callback(
-				'/^(?!(?:https?|file):\/\/|[\/\{])(\S+)/i',
+				'/^(?!(?:https?|file|data):|[\/\{])(\S+)/i',
 				array($this, '_replaceRelativePath'),
 				trim($url)
 			);
diff --git a/tests/unit/classes/TemplateHandlerTest.php b/tests/unit/classes/TemplateHandlerTest.php
index 9cc760020..d2a4ba124 100644
--- a/tests/unit/classes/TemplateHandlerTest.php
+++ b/tests/unit/classes/TemplateHandlerTest.php
@@ -282,6 +282,10 @@ class TemplateHandlerTest extends \Codeception\TestCase\Test
                 '<input>asdf src="../img/img.gif" asdf</input>',
                 '?><input>asdf src="../img/img.gif" asdf</input>'
             ),
+			array(
+				'<img src="data:image/png;base64,AAAAAAAAAAA=" />',
+				'?><img src="data:image/png;base64,AAAAAAAAAAA=" />'
+			),
             // srcset (PR #1544)
             array(
                 '<img src="./img/sticker_banner_960w.png" alt="this is a test image." srcset="https://abc.com/static/img/test@2x.png 2x,  http://abc.com/static/test@2.5x.png 2.5x,../img/test@3x.png 3x, ../img/test_960w.png  960w, {$mid}/image.png 480w">',