forked from gitea/gitea
1
0
Fork 0

Fix data URI scramble (#16098) (#16118)

* Fix data URI scramble (#16098)

* Removed unused method.

* No prefix for data uris.

* Added test to prevent regressions.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
This commit is contained in:
6543 2021-06-09 16:31:40 +02:00 committed by GitHub
parent 3be67e9a2b
commit ac84bb7183
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 8 deletions

View File

@ -403,24 +403,19 @@ func (ctx *postProcessCtx) visitNode(node *html.Node, visitText bool) {
} }
case html.ElementNode: case html.ElementNode:
if node.Data == "img" { if node.Data == "img" {
attrs := node.Attr for _, attr := range node.Attr {
for idx, attr := range attrs {
if attr.Key != "src" { if attr.Key != "src" {
continue continue
} }
link := []byte(attr.Val) if len(attr.Val) > 0 && !isLinkStr(attr.Val) && !strings.HasPrefix(attr.Val, "data:image/") {
if len(link) > 0 && !IsLink(link) {
prefix := ctx.urlPrefix prefix := ctx.urlPrefix
if ctx.isWikiMarkdown { if ctx.isWikiMarkdown {
prefix = util.URLJoin(prefix, "wiki", "raw") prefix = util.URLJoin(prefix, "wiki", "raw")
} }
prefix = strings.Replace(prefix, "/src/", "/media/", 1) prefix = strings.Replace(prefix, "/src/", "/media/", 1)
lnk := string(link) attr.Val = util.URLJoin(prefix, attr.Val)
lnk = util.URLJoin(prefix, lnk)
link = []byte(lnk)
} }
node.Attr[idx].Val = string(link)
} }
} else if node.Data == "a" { } else if node.Data == "a" {
visitText = false visitText = false

View File

@ -408,3 +408,20 @@ func Test_ParseClusterFuzz(t *testing.T) {
assert.NotContains(t, string(val), "<html") assert.NotContains(t, string(val), "<html")
} }
func TestIssue16020(t *testing.T) {
setting.AppURL = AppURL
setting.AppSubURL = AppSubURL
var localMetas = map[string]string{
"user": "go-gitea",
"repo": "gitea",
}
data := `<img src="data:image/png;base64,i//V"/>`
// func PostProcess(rawHTML []byte, urlPrefix string, metas map[string]string, isWikiMarkdown bool) ([]byte, error)
res, err := PostProcess([]byte(data), "https://example.com", localMetas, false)
assert.NoError(t, err)
assert.Equal(t, data, string(res))
}