Fix data URI scramble (#16098)

KN4CK3R · web-flow · commit 21cde5c43967 · 2021-06-07T18:55:26.000+02:00
* Removed unused method.

* No prefix for data uris.

* Added test to prevent regressions.
diff --git a/modules/markup/html.go b/modules/markup/html.go
@@ -364,24 +364,19 @@ func visitNode(ctx *RenderContext, procs []processor, node *html.Node, visitText
 		}
 	case html.ElementNode:
 		if node.Data == "img" {
-			attrs := node.Attr
-			for idx, attr := range attrs {
+			for _, attr := range node.Attr {
 				if attr.Key != "src" {
 					continue
 				}
-				link := []byte(attr.Val)
-				if len(link) > 0 && !IsLink(link) {
+				if len(attr.Val) > 0 && !isLinkStr(attr.Val) && !strings.HasPrefix(attr.Val, "data:image/") {
 					prefix := ctx.URLPrefix
 					if ctx.IsWiki {
 						prefix = util.URLJoin(prefix, "wiki", "raw")
 					}
 					prefix = strings.Replace(prefix, "/src/", "/media/", 1)
 
-					lnk := string(link)
-					lnk = util.URLJoin(prefix, lnk)
-					link = []byte(lnk)
+					attr.Val = util.URLJoin(prefix, attr.Val)
 				}
-				node.Attr[idx].Val = string(link)
 			}
 		} else if node.Data == "a" {
 			visitText = false
diff --git a/modules/markup/html_test.go b/modules/markup/html_test.go
@@ -444,3 +444,23 @@ func Test_ParseClusterFuzz(t *testing.T) {
 	assert.NoError(t, err)
 	assert.NotContains(t, res.String(), "<html")
 }
+
+func TestIssue16020(t *testing.T) {
+	setting.AppURL = AppURL
+	setting.AppSubURL = AppSubURL
+
+	var localMetas = map[string]string{
+		"user": "go-gitea",
+		"repo": "gitea",
+	}
+
+	data := `<img src="data:image/png;base64,i//V"/>`
+
+	var res strings.Builder
+	err := PostProcess(&RenderContext{
+		URLPrefix: "https://example.com",
+		Metas:     localMetas,
+	}, strings.NewReader(data), &res)
+	assert.NoError(t, err)
+	assert.Equal(t, data, res.String())
+}
diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go
@@ -131,13 +131,3 @@ func SanitizeReader(r io.Reader) *bytes.Buffer {
 	NewSanitizer()
 	return sanitizer.policy.SanitizeReader(r)
 }
-
-// SanitizeBytes takes a []byte slice that contains a HTML fragment or document and applies policy whitelist.
-func SanitizeBytes(b []byte) []byte {
-	if len(b) == 0 {
-		// nothing to sanitize
-		return b
-	}
-	NewSanitizer()
-	return sanitizer.policy.SanitizeBytes(b)
-}
diff --git a/modules/markup/sanitizer_test.go b/modules/markup/sanitizer_test.go
@@ -49,7 +49,6 @@ func Test_Sanitizer(t *testing.T) {
 
 	for i := 0; i < len(testCases); i += 2 {
 		assert.Equal(t, testCases[i+1], Sanitize(testCases[i]))
-		assert.Equal(t, testCases[i+1], string(SanitizeBytes([]byte(testCases[i]))))
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -364,24 +364,19 @@ func visitNode(ctx RenderContext, procs []processor, node html.Node, visitText`
`364`	`364`	`}`
`365`	`365`	`case html.ElementNode:`
`366`	`366`	`if node.Data == "img" {`
`367`		`- attrs := node.Attr`
`368`		`- for idx, attr := range attrs {`
	`367`	`+ for _, attr := range node.Attr {`
`369`	`368`	`if attr.Key != "src" {`
`370`	`369`	`continue`
`371`	`370`	`}`
`372`		`- link := []byte(attr.Val)`
`373`		`- if len(link) > 0 && !IsLink(link) {`
	`371`	`+ if len(attr.Val) > 0 && !isLinkStr(attr.Val) && !strings.HasPrefix(attr.Val, "data:image/") {`
`374`	`372`	`prefix := ctx.URLPrefix`
`375`	`373`	`if ctx.IsWiki {`
`376`	`374`	`prefix = util.URLJoin(prefix, "wiki", "raw")`
`377`	`375`	`}`
`378`	`376`	`prefix = strings.Replace(prefix, "/src/", "/media/", 1)`
`379`	`377`
`380`		`- lnk := string(link)`
`381`		`- lnk = util.URLJoin(prefix, lnk)`
`382`		`- link = []byte(lnk)`
	`378`	`+ attr.Val = util.URLJoin(prefix, attr.Val)`
`383`	`379`	`}`
`384`		`- node.Attr[idx].Val = string(link)`
`385`	`380`	`}`
`386`	`381`	`} else if node.Data == "a" {`
`387`	`382`	`visitText = false`
Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,6 @@ func Test_Sanitizer(t *testing.T) {`
`49`	`49`
`50`	`50`	`for i := 0; i < len(testCases); i += 2 {`
`51`	`51`	`assert.Equal(t, testCases[i+1], Sanitize(testCases[i]))`
`52`		`- assert.Equal(t, testCases[i+1], string(SanitizeBytes([]byte(testCases[i]))))`
`53`	`52`	`}`
`54`	`53`	`}`
`55`	`54`