From 1c282549026a8bf4ba11346151bb900d7c21bdd7 Mon Sep 17 00:00:00 2001 From: Kijin Sung Date: Sat, 11 Sep 2021 19:47:04 +0900 Subject: [PATCH] Move image URL cleaning function to HTMLFilter #1787 --- common/framework/filters/htmlfilter.php | 32 +++++++++++++++++++ common/framework/mail.php | 14 ++------ .../unit/framework/filters/HTMLFilterTest.php | 12 +++++++ 3 files changed, 46 insertions(+), 12 deletions(-) diff --git a/common/framework/filters/htmlfilter.php b/common/framework/filters/htmlfilter.php index e79d02709..597463406 100644 --- a/common/framework/filters/htmlfilter.php +++ b/common/framework/filters/htmlfilter.php @@ -5,6 +5,7 @@ namespace Rhymix\Framework\Filters; use Rhymix\Framework\Config; use Rhymix\Framework\Security; use Rhymix\Framework\Storage; +use Rhymix\Framework\URL; /** * The HTML filter class. @@ -115,6 +116,37 @@ class HTMLFilter return $output; } + /** + * Convert relative URLs to absolute URLs in HTML content. + * + * This is useful when sending content outside of the website, + * such as e-mail and RSS, where relative URLs might not mean the same. + * + * This method also removes attributes that don't mean anything + * when sent outside of the website, such as editor component names. + * + * This method DOES NOT check HTML content for XSS or other attacks. + * + * @param string $content + * @return string + */ + public static function fixRelativeUrls(string $content): string + { + $patterns = [ + '!\b(?i:src)=(["\']?)(?:\./|' . preg_quote(\RX_BASEURL, '!') . '|)files/!', + '!\b(?:data-file-srl|editor_component|widget|id)="[^"]*"\s?!', + '!\b(?:class="zbxe_widget_output")\s?!', + ]; + $replacements = [ + 'src=$1' . URL::getCurrentDomainURL(\RX_BASEURL) . 'files/', + '', + '', + ]; + return preg_replace_callback('/<(img|video|audio|source)\b([^>]+)>/i', function($match) use($patterns, $replacements) { + return preg_replace($patterns, $replacements, $match[0]); + }, $content); + } + /** * Get an instance of HTMLPurifier. * diff --git a/common/framework/mail.php b/common/framework/mail.php index c612b4366..b49f24db3 100644 --- a/common/framework/mail.php +++ b/common/framework/mail.php @@ -406,7 +406,7 @@ class Mail if (strpos($this->content_type, 'html') !== false) { - $content = preg_replace_callback('/]+)>/i', array($this, 'convertImageURLs'), $content); + $content = Filters\HTMLFilter::fixRelativeUrls($content); } $this->message->setBody($content, $this->content_type); @@ -635,17 +635,7 @@ class Mail */ protected function convertImageURLs(array $matches) { - $patterns = [ - '!\b(?i:src)=(["\']?)(?:\./|' . preg_quote(\RX_BASEURL, '!') . '|)files/!', - '!\b(?:data-file-srl|editor_component|widget|id)="[^"]*"\s?!', - '!\b(?:class="zbxe_widget_output")\s?!', - ]; - $replacements = [ - 'src=$1' . URL::getCurrentDomainURL(\RX_BASEURL) . 'files/', - '', - '', - ]; - return preg_replace($patterns, $replacements, $matches[0]); + return Filters\HTMLFilter::fixRelativeUrls($matches[0]); } /** diff --git a/tests/unit/framework/filters/HTMLFilterTest.php b/tests/unit/framework/filters/HTMLFilterTest.php index 302afb107..123921a9c 100644 --- a/tests/unit/framework/filters/HTMLFilterTest.php +++ b/tests/unit/framework/filters/HTMLFilterTest.php @@ -241,4 +241,16 @@ class HTMLFilterTest extends \Codeception\TestCase\Test $target = '

foobar

'; $this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source)); } + + public function testHTMLFilterFixMediaUrls() + { + $content = Rhymix\Framework\Filters\HTMLFilter::fixRelativeUrls('TEST'); + $this->assertEquals('TEST', $content); + $content = Rhymix\Framework\Filters\HTMLFilter::fixRelativeUrls(''); + $this->assertEquals('', $content); + $content = Rhymix\Framework\Filters\HTMLFilter::fixRelativeUrls(''); + $this->assertEquals('', $content); + $content = Rhymix\Framework\Filters\HTMLFilter::fixRelativeUrls('TEST'); + $this->assertEquals('TEST', $content); + } }