FreshRSS/Extensions

ImageProxy cannot handle html encode correctly.

Victrid opened this issue · 3 comments

Victrid commented

When adding origin url with special characters like "&", ImageProxy will parse it into & , which is not as expected.

It's can be reproduced setting proxy url to https://example.com/proxy?token=abcdef&url=

Frenzie commented

I'm afraid you're either mistaken or something about your problem description is slightly incomplete. &url is definitely expected and desired since &url is invalid HTML.

If you input:

https://example.com/proxy?token=abcdef&url=

What you need to see in HTML is:

<img src="https://example.com/proxy?token=abcdef&amp;url="
Victrid commented

Umm, I'm confused.

When using

https://example.com/proxy?token=abcdef&url=

I get tags like

<img src="https://example.com/proxy?token=abcdef&amp;amp;url=...">

and my nginx server error log says

invalid URL prefix in "", client: ..., server: example.com, request: "GET /proxy?token=abcdef&amp;url=https://contoso.com/some.jpg HTTP/1.1", host: "rexample.com"

the browser should not send servers with escaped urls.

It seems that the &amp; is escaped twice.

Please see this:

Extensions/xExtension-ImageProxy/extension.php

Line 120 in 5ddbae9

$img->setAttribute('src', $newSrc);

Maybe php did the escape job automatically. As this Stack Overflow page described, setAttribute will automatically escape the contents, which could cause the same problem.

Frenzie commented

I get tags like

<img src="https://example.com/proxy?token=abcdef&amp;amp;url=...">

Well, there you go then. That's quite different from & is turned into &amp;. ;-)

Please fix it like this instead:

diff --git a/xExtension-ImageProxy/extension.php b/xExtension-ImageProxy/extension.php
index 504248b..2e9e3c9 100644
--- a/xExtension-ImageProxy/extension.php
+++ b/xExtension-ImageProxy/extension.php
@@ -52,7 +52,7 @@ class ImageProxyExtension extends Minz_Extension {
                $this->registerTranslates();
 
                if (Minz_Request::isPost()) {
-                       FreshRSS_Context::$user_conf->image_proxy_url = Minz_Request::param('image_proxy_url', self::PROXY_URL);
+                       FreshRSS_Context::$user_conf->image_proxy_url = Minz_Request::param('image_proxy_url', self::PROXY_URL, true);
                        FreshRSS_Context::$user_conf->image_proxy_scheme_http = Minz_Request::param('image_proxy_scheme_http', '');
                        FreshRSS_Context::$user_conf->image_proxy_scheme_https = Minz_Request::param('image_proxy_scheme_https', '');
                        FreshRSS_Context::$user_conf->image_proxy_scheme_default = Minz_Request::param('image_proxy_scheme_default', self::SCHEME_DEFAULT);