Problem
If you upload an image trough the WYSIWYG editor (CK) the image you uploaded is inserted in the HTML with the absolute path (including protocol and domain).
This can be an issue:
- If you have a setup where 2 domains point to the same instance (e.g. drupal.be & drupal.fr).
- And you upload an image trough CK editor on the drupal.be website.
- You use the Basic HTML profile with the "Restrict images to this site" filter enabled.
- The image will be inserted in the html as
<img src="http://drupal.be/path/to/the/image.png" />
- After saving the node the node will be rendered, the "Restrict images to this site" filter will validate the domain of the URL, approve it and alter the src to a relative path.
- This works as expected
But what if:
- The cache gets cleared.
- And a user accesses the node as first through the drupal.fr domain.
- The HTML of the node is send trough the "Restrict images to this site" filter.
- The domain of the image src in the HTML does not match the domain the code is filtered in.
- The src of the image is replaced by the insecure message
- This is not expected behaviour!
In fact, since the rendered node is cached, it will be shown as insecure image on both domains!
Proposed resolution
During file upload the image should be inserted with a relative src.
Change the submit submitForm()
method in the \Drupal\editor\Form\EditorImageDialog
class:
Remove the Domain (and port) from the rendered URL:
$form_state['values']['attributes']['src'] = file_create_url($file->getFileUri());
Related Issues
- https://drupal.org/node/2076847 : FilterHtmlImageSecure incorrectly flags images coming from site URLs with ports in them as insecure.
Comment | File | Size | Author |
---|---|---|---|
#24 | interdiff.txt | 2.37 KB | Wim Leers |
#24 | editor_image_upload_relative_path-2099205-24.patch | 6.52 KB | Wim Leers |
#22 | editor_image_upload_relative_path-2099205-22-debug-testbot.patch | 6.35 KB | Wim Leers |
#20 | interdiff.txt | 671 bytes | Wim Leers |
#20 | editor_image_upload_relative_path-2099205-20-debug-testbot.patch | 6.18 KB | Wim Leers |
Comments
Comment #1
zero2one CreditAttribution: zero2one commentedHereby the patch that fixes the issue:
Comment #2
zero2one CreditAttribution: zero2one commentedI improved the patch: it did not support websites running on a specific port number.
It's a ugly fix, there should be a core function that removes the domain (and optional port) from an URL.
See also https://drupal.org/node/2076847
Comment #3
zero2one CreditAttribution: zero2one commentedImproved the code more: the replace pattern replaces now the domain and an optional port.
Comment #4
Wim Leers#2076847: FilterHtmlImageSecure incorrectly flags images coming from site URLs with ports in them as insecure got committed in the mean time — yay :)
Changes:
getHttpHost()
, just like in #2076847: FilterHtmlImageSecure incorrectly flags images coming from site URLs with ports in them as insecure.Comment #4.0
Wim LeersUpdated issue summary.
Comment #5
Gábor HojtsyWould it make sense to have a function for this since its the same logic as in filter module?
Comment #6
Wim Leers#5: That might make sense, yes. What about
file_transform_url_relative()
? Hopefully you can think of something better.Comment #7
Gábor HojtsyI don't think this would be in file module would it. That name sounds confusing for that. It would be in filter module, no?
Comment #8
Wim Leers#7: But wouldn't it be a lot stranger to put file handling functionality in filter.module? Despite filter.module being the only one in need of this functionality in core, I can imagine contrib modules wanting to use this too. And it's clearly within the responsibilities of the file system, in my opinion.
Comment #9
Gábor HojtsyYeah I don't feel strongly about it, but it looks to me like its filtering the URL for better display, may also apply to non-file module handled files (eg. theme). Anyway, its fine either way, there is no really clear place for it to go IMHO.
Comment #10
Wim LeersSo instead of duplicating the same URL manipulation in another location in Drupal core, this issue now proposes a minor API addition. Test coverage added.
Comment #11
Gábor HojtsyLooks good to me :)
Comment #12
Wim LeersComment #14
Wim LeersI can't reproduce this locally, so adding debug output to figure out why testbot is failing.
Comment #16
Wim LeersAdding even more debug output.
Comment #18
Wim LeersSigh… I accidentally created an interdiff instead of a patch. Let's try again.
Comment #20
Wim LeersOkay so the reason testbot is failing is that
getHttpHost()
returns'drupaltestbot1838:'
. That is in fact… a value that contradicts the contract of the function. WTF.How is this possible? The protocol must be
'http'
and the port must be80
.Adding two more
debug()
statements, to output the scheme and port.Comment #22
Wim LeersSigh, for some reason that patch was in fact the #18 patch. The interdiff was correct though. This was the intended patch…
Comment #24
Wim LeersSo apparently on testbot,
Request::getPort() === NULL
… hence the test failures!Hence the only thing I can do is work around that problem. Which is easy enough, but comes with a bit more code than the original.
Comment #25
Gábor HojtsyStill looks good, testbot specialties aside :)
Comment #26
webchickCommitted and pushed to 8.x, but let's get an upstream issue filed about getPort() because that is wacktastical.
Comment #27
Wim LeersAlright, upstream issue filed: https://github.com/symfony/symfony/issues/9604
Comment #29
Wim LeersNote this had some consequences for retrieving entities via REST too: #2630076: Inline images: how to calculate the absolute file URL.