FIX: Cooking custom emojis should not use a secure URL (#15929)
When a site has secure media enabled and a post is with secure media, we were incorrectly cooking custom emoji URLs and using the secure URL for those emojis, even though they should not be considered secure (their corresponding upload records in the database are _not_ secure). Now instead of the blanket post.with_secure_media? boolean for the secure: param, we also want to make sure the image whose URL is being cooked is also _not_ a custom emoji.
This commit is contained in:
parent
a34075d205
commit
88a8584348
|
@ -415,7 +415,10 @@ class CookedPostProcessor
|
|||
|
||||
%w{src data-small-upload}.each do |selector|
|
||||
@doc.css("img[#{selector}]").each do |img|
|
||||
img[selector] = UrlHelper.cook_url(img[selector].to_s, secure: @post.with_secure_media?)
|
||||
custom_emoji = img["class"]&.include?("emoji-custom") && Emoji.custom?(img["title"])
|
||||
img[selector] = UrlHelper.cook_url(
|
||||
img[selector].to_s, secure: @post.with_secure_media? && !custom_emoji
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1359,6 +1359,26 @@ describe CookedPostProcessor do
|
|||
HTML
|
||||
end
|
||||
|
||||
it "doesn't use the secure media URL for custom emoji" do
|
||||
CustomEmoji.create!(name: 'trout', upload: upload)
|
||||
Emoji.clear_cache
|
||||
Emoji.load_custom
|
||||
stored_path = Discourse.store.get_path_for_upload(upload)
|
||||
upload.update_column(:url, "#{SiteSetting.Upload.absolute_base_url}/#{stored_path}")
|
||||
upload.update_column(:secure, true)
|
||||
|
||||
the_post = Fabricate(:post, raw: "This post has a custom emoji :trout:")
|
||||
the_post.cook(the_post.raw)
|
||||
|
||||
cpp = CookedPostProcessor.new(the_post)
|
||||
cpp.optimize_urls
|
||||
|
||||
upload_url = upload.url.gsub(SiteSetting.Upload.absolute_base_url, "https://s3.cdn.com")
|
||||
expect(cpp.html).to match_html <<~HTML
|
||||
<p>This post has a custom emoji <img src="#{upload_url}?v=#{Emoji::EMOJI_VERSION}" title=":trout:" class="emoji emoji-custom" alt=":trout:" loading="lazy" width="20" height="20"></p>
|
||||
HTML
|
||||
end
|
||||
|
||||
context "media uploads" do
|
||||
fab!(:image_upload) { Fabricate(:upload) }
|
||||
fab!(:audio_upload) { Fabricate(:upload, extension: "ogg") }
|
||||
|
|
Loading…
Reference in New Issue