AO3-6571 Prevent relative image paths. (#4598)

* AO3-6571 Prevent relative image paths.

* AO3-6571 Use APP_URL instead of APP_HOST.

* AO3-6571 Typo.

* AO3-6571 Typo.

config/config.yml

@@ -277,7 +277,7 @@ ANONYMOUS_THRESHOLD_COUNT: 10
 COMMENT_MODERATION_THRESHOLD: 10
 
 # SANITIZER VERSION
-SANITIZER_VERSION: 3
+SANITIZER_VERSION: 4
 
 # parameters that must be natural integers and their default values
 NONZERO_INTEGER_PARAMETERS:

config/initializers/gem-plugin_config/sanitizer_config.rb

@@ -33,7 +33,7 @@ module Config
       protocols: {
         "a" => { "href" => ["ftp", "http", "https", "mailto", :relative] },
         "blockquote" => { "cite" => ["http", "https", :relative] },
-        "img" => { "src" => ["http", "https", :relative] },
+        "img" => { "src" => ["http", "https"] },
         "q" => { "cite" => ["http", "https", :relative] }
       },
 
@@ -58,5 +58,14 @@ module Config
 
       env[:node]["open"] = "open" if env[:node].has_attribute?("open")
     end
+
+    # On img elements, convert relative paths to absolute:
+    RELATIVE_IMAGE_PATH_TRANSFORMER = lambda do |env|
+      return unless env[:node_name] == "img" && env[:node]["src"]
+
+      env[:node]["src"] = URI.join(ArchiveConfig.APP_URL, env[:node]["src"])
+    rescue URI::InvalidURIError
+      # do nothing, the sanitizer will handle it
+    end
   end
 end

features/other_a/parser.feature

@@ -42,7 +42,7 @@ Feature: Parsing HTML
     And I fill in "content" with "<p class='size-10'><img src='britney.gif' alt='Britney Spears' />You better work</p>"
     And I press "Preview"
   Then I should see "Draft was successfully created."
-    And I should see the image "src" text "britney.gif"
+    And I should see the image "src" text "http://www.example.org/britney.gif"
     And I should see the image "alt" text "Britney Spears"
   When I press "Edit"
   Then the "Summary" field should not contain "myclass"
@@ -51,7 +51,7 @@ Feature: Parsing HTML
     And the "content" field should contain "size-10"
   When I press "Post"
   Then I should see "Work was successfully posted."
-    And I should see the image "src" text "britney.gif"
+    And I should see the image "src" text "http://www.example.org/britney.gif"
 
   Scenario: Chapter notes and content HTML keep classes when previewing before posting
   Given I am logged in as a random user

lib/html_cleaner.rb

@@ -56,7 +56,10 @@ def sanitize_value(field, value)
     end
     if ArchiveConfig.FIELDS_ALLOWING_HTML.include?(field.to_s)
       # We're allowing users to use HTML in this field
-      transformers = [Sanitize::Config::OPEN_ATTRIBUTE_TRANSFORMER]
+      transformers = [
+        Sanitize::Config::OPEN_ATTRIBUTE_TRANSFORMER,
+        Sanitize::Config::RELATIVE_IMAGE_PATH_TRANSFORMER
+      ]
       if ArchiveConfig.FIELDS_ALLOWING_VIDEO_EMBEDS.include?(field.to_s)
         transformers << OtwSanitize::EmbedSanitizer.transformer
         transformers << OtwSanitize::MediaSanitizer.transformer

spec/lib/html_cleaner_spec.rb

@@ -455,6 +455,20 @@
             end
           end
         end
+
+        context "when given an <img> tag with a relative src" do
+          it "converts the src value to an absolute URL" do
+            content = sanitize_value(field, "<img src=\"relative\">")
+            expect(content).to eq("<p>\n  <img src=\"#{ArchiveConfig.APP_URL}/relative\" \/>\n</p>")
+          end
+        end
+
+        context "when given an <img> tag with an absolute src" do
+          it "doesn't modify the src value" do
+            content = sanitize_value(field, "<img src=\"http://random.com/image.png\">")
+            expect(content).to eq("<p>\n  <img src=\"http://random.com/image.png\" \/>\n</p>")
+          end
+        end
       end
     end