Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: secure_media stripping on lightboxes, non-image links (#11121) 

- Fixes stripping of lightboxes with empty srcset attribute
- Does not fail when email has links with secure media URLs but no child image elements
This commit is contained in:
Penar Musaraj 2020-11-04 15:45:50 -05:00 committed by GitHub
parent 3397e0e38b
commit c1f3bd6a1c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 35 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/pretty_text.rb
View File

@ -414,12 +414,18 @@ module PrettyText
target = non_image_media ? a.parent : a
next if target.to_s.include?('stripped-secure-view-media')
next if a.css('img[src]').empty? && !non_image_media
if a.classes.include?('lightbox')
# we are using the first image from the srcset here so we get the
# optimized image instead of the possibly huge original
img = a.css('img[src]').first
srcset = img.attributes['srcset'].value
url = srcset.split(',').first
srcset = img&.attributes['srcset']&.value
if srcset
# if available, use the first image from the srcset here
# so we get the optimized image instead of the possibly huge original
url = srcset.split(',').first
else
url = img['src']
end
a.add_next_sibling secure_media_placeholder(doc, url, width: img['width'], height: img['height'])
a.remove
else

25
spec/components/email/styles_spec.rb
View File

@ -210,6 +210,31 @@ describe Email::Styles do
frag = html_fragment("<a href=\"#{Discourse.base_url}\/t/secure-media-uploads/235723\">Visit Topic</a>")
expect(frag.to_s).not_to include("Redacted")
end
it "works in lightboxes with missing srcset attribute" do
frag = html_fragment("<a href=\"#{Discourse.base_url}\/secure-media-uploads/original/1X/testimage.png\" class=\"lightbox\"><img src=\"/secure-media-uploads/original/1X/testimage.png\"></a>")
expect(frag.at('img')).not_to be_present
expect(frag.to_s).to include("Redacted")
end
it "works in lightboxes with srcset attribute set" do
frag = html_fragment(
<<~HTML
<a href="#{Discourse.base_url}/secure-media-uploads/original/1X/testimage.png" class="lightbox">
<img src="/secure-media-uploads/original/1X/testimage.png" srcset="/secure-media-uploads/optimized/1X/testimage.png, /secure-media-uploads/original/1X/testimage.png 1.5x" />
</a>
HTML
)
expect(frag.at('img')).not_to be_present
expect(frag.to_s).to include("Redacted")
end
it "skips links with no images as children" do
frag = html_fragment("<a href=\"#{Discourse.base_url}\/secure-media-uploads/original/1X/testimage.png\"><span>Clearly not an image</span></a>")
expect(frag.to_s).to include("not an image")
end
end
context "inline_secure_images" do