fix: usage of preg_match_all out variable (#1116)

Soare-Robert-Daniel · web-flow · commit f9f7dc32716f · 2025-07-31T17:02:12.000+03:00
The feedzy_image_encode was malformating the `$img_url` in case of links like https://heavy.com/wp-content/uploads/2025/05/GettyImages-2172500144.jpg?quality=65&strip=all where $url_tab['query'] was available to process. This was caused because $img_url was used as an out variable for `&$matches` param for `preg_match_all`.
diff --git a/includes/abstract/feedzy-rss-feeds-admin-abstract.php b/includes/abstract/feedzy-rss-feeds-admin-abstract.php
@@ -1149,9 +1149,10 @@ private function render_content( $sc, $feed, $feed_url, $content = '' ) {
 		if ( $feed_title['use_title'] ) {
 			$feed_title       = ! empty( $feed->get_title() ) ? $feed->get_title() : '';
 			$feed_description = ! empty( $feed->get_description() ) ? $feed->get_description() : '';
+			$feed_permalink   = ! empty( $feed->get_permalink() ) ? $feed->get_permalink() : '';
 
 			$content .= '<div class="rss_header">';
-			$content .= '<h2><a href="' . esc_url( $feed->get_permalink() ) . '" class="rss_title" rel="noopener">' . wp_kses_post( html_entity_decode( $feed_title ) ) . '</a> <span class="rss_description"> ' . wp_kses_post( $feed_description ) . '</span></h2>';
+			$content .= '<h2><a href="' . esc_url( $feed_permalink ) . '" class="rss_title" rel="noopener">' . wp_kses_post( html_entity_decode( $feed_title ) ) . '</a> <span class="rss_description"> ' . wp_kses_post( $feed_description ) . '</span></h2>';
 			$content .= '</div>';
 		}
 		$content .= '<ul>';
@@ -1279,7 +1280,7 @@ private function get_feed_title_filter( $feed, $sc, $feed_url ) {
 		return array(
 			'rss_url'               => $feed->get_permalink(),
 			'rss_title_class'       => 'rss_title',
-			'rss_title'             => html_entity_decode( $feed->get_title() ),
+			'rss_title'             => html_entity_decode( ! empty( $feed->get_title() ) ? $feed->get_title() : '' ),
 			'rss_description_class' => 'rss_description',
 			'rss_description'       => $feed->get_description(),
 			'rss_classes'           => array( $sc['classname'], 'feedzy-' . md5( is_array( $feed_url ) ? implode( ', ', $feed_url ) : $feed_url ) ),
@@ -1887,28 +1888,31 @@ public function feedzy_blacklist_images() {
 	}
 
 	/**
-	 * Image name encoder and url retrieve if in url param
+	 * Extracts image URLs from query parameters and sanitizes them.
+	 * 
+	 * Processes URLs that contain image URLs as query parameters (e.g., proxy or CDN URLs).
+	 * Supports GIF, JPG, JPEG, PNG, WebP, and AVIF formats.
 	 *
 	 * @since   3.0.0
 	 * @access  public
 	 *
-	 * @param   string $img_url A string containing the image URL.
+	 * @param   string $img_url URL containing either a direct image URL or one embedded in query parameters.
 	 *
-	 * @return  string
+	 * @return  string Extracted and sanitized image URL, or the original URL if no image found.
 	 */
 	public function feedzy_image_encode( $img_url ) {
 		// Check if img url is set as an URL parameter.
-		$url_tab = wp_parse_url( $img_url );
-		if ( isset( $url_tab['query'] ) ) {
-			preg_match_all( '/(http|https):\/\/[^ ]+(\.gif|\.GIF|\.jpg|\.JPG|\.jpeg|\.JPEG|\.png|\.PNG)/', $url_tab['query'], $img_url );
-			if ( isset( $img_url[0][0] ) ) {
-				$img_url = $img_url[0][0];
+		$parsed_url = wp_parse_url( $img_url );
+		if ( isset( $parsed_url['query'] ) ) {
+			preg_match_all( '/(http|https):\/\/[^ ]+(\.(gif|jpg|jpeg|png|webp|avif))/i', $parsed_url['query'], $matches );
+			if ( isset( $matches[0][0] ) && $this->is_image_url( $matches[0][0] ) ) {
+				$img_url = $matches[0][0];
 			}
 		}
 
-		$return = apply_filters( 'feedzy_image_encode', esc_url( $img_url ), $img_url );
-		do_action( 'themeisle_log_event', FEEDZY_NAME, sprintf( 'Changing image URL from %s to %s', $img_url, $return ), 'debug', __FILE__, __LINE__ );
-		return $return;
+		$filtered_url = apply_filters( 'feedzy_image_encode', esc_url( $img_url ), $img_url );
+		do_action( 'themeisle_log_event', FEEDZY_NAME, sprintf( 'Changing image URL from %s to %s', $img_url, $filtered_url ), 'debug', __FILE__, __LINE__ );
+		return $filtered_url;
 	}
 
 	/**
diff --git a/tests/test-admin-abstract.php b/tests/test-admin-abstract.php
@@ -63,6 +63,52 @@ public function test_feedzy_retrieve_image_with_enclosure_image() {
 		$this->assertEquals('https://example.com/image.jpg', $result);
 	}
 
+	/**
+	 * Test feedzy_retrieve_image method with enclosure containing image which has query parameters.
+	 */
+	public function test_feedzy_retrieve_image_with_enclosure_image_and_query_params() {
+		// Create a SimplePie feed with test data
+		$feed = new SimplePie();
+		// Reference: https://heavy.com/author/jgbuck/feed/
+		$feed->set_raw_data('<?xml version="1.0" encoding="UTF-8"?>
+			<rss version="2.0"
+				xmlns:content="http://purl.org/rss/1.0/modules/content/"
+				xmlns:wfw="http://wellformedweb.org/CommentAPI/"
+				xmlns:dc="http://purl.org/dc/elements/1.1/"
+				xmlns:atom="http://www.w3.org/2005/Atom"
+				xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
+				xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
+				
+				xmlns:georss="http://www.georss.org/georss"
+				xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#"
+				xmlns:media="http://search.yahoo.com/mrss/"
+			>
+				<channel>
+					<title>Test Feed</title>
+					<item>
+						<title>Test Item</title>
+						<media:thumbnail url="https://heavy.com/wp-content/uploads/2025/05/GettyImages-2172500144.jpg?quality=65&#038;strip=all" />
+						<media:content url="https://heavy.com/wp-content/uploads/2025/05/GettyImages-2172500144.jpg?quality=65&#038;strip=all" medium="image" type="image/*">
+							<media:title type="html">Houston Texans head coach DeMeco Ryans reacts before a game against the Chicago Bears.</media:title>
+
+							<media:credit>Getty</media:credit>
+						</media:content>
+					</item>
+				</channel>
+			</rss>');
+		$feed->init();
+		
+		$items = $feed->get_items();
+
+		// Check if we have items before accessing
+        $this->assertNotEmpty($items, 'No items found in feed');
+		$item = $items[0];
+		
+		$result = $this->feedzy_abstract->feedzy_retrieve_image($item);
+		
+		$this->assertEquals('https://heavy.com/wp-content/uploads/2025/05/GettyImages-2172500144.jpg?quality=65&strip=all', $result);
+	}
+
 	/**
 	 * Test feedzy_retrieve_image method with iTunes podcast image.
 	 */
@@ -506,4 +552,76 @@ public function test_extract_image_from_enclosure_with_media_thumbnail() {
 			$this->assertEquals('https://example.com/thumb.jpg', $result);
 		}
 	}
+
+	/**
+     * Test feedzy_image_encode method with regular image URLs.
+     */
+    public function test_feedzy_image_encode_regular_urls() {
+        $test_cases = array(
+            // [input, expected]
+            ['https://example.com/image.jpg', 'https://example.com/image.jpg'],
+            ['https://example.com/simple-image.png', 'https://example.com/simple-image.png'],
+            ['not-a-valid-url', 'http://not-a-valid-url'], // esc_url adds http://
+            ['', ''] // Empty URL
+        );
+        
+        foreach ($test_cases as [$input, $expected]) {
+            $result = $this->feedzy_abstract->feedzy_image_encode($input);
+            $this->assertEquals($expected, $result, "Failed for URL: $input");
+        }
+    }
+
+    /**
+     * Test feedzy_image_encode method with query parameter extraction.
+     */
+    public function test_feedzy_image_encode_query_parameter_extraction() {
+        $test_cases = array(
+            // [input_url, expected_result]
+            ['https://example.com/proxy?url=https://cdn.example.com/image.jpg&width=300', 'https://cdn.example.com/image.jpg'],
+            ['https://proxy.example.com/image?src=https://secure.example.com/photo.png', 'https://secure.example.com/photo.png'],
+            ['https://example.com/proxy?url=http://legacy.example.com/photo.gif', 'http://legacy.example.com/photo.gif'],
+            ['https://example.com/proxy?callback=jsonp&url=https://cdn.example.com/uploads/2023/image.jpg&format=json', 'https://cdn.example.com/uploads/2023/image.jpg'],
+        );
+        
+        foreach ($test_cases as [$input, $expected]) {
+            $result = $this->feedzy_abstract->feedzy_image_encode($input);
+            $this->assertEquals($expected, $result, "Failed for input: $input");
+        }
+    }
+
+    /**
+     * Test feedzy_image_encode method with various image extensions.
+     */
+    public function test_feedzy_image_encode_image_extensions() {
+        $extensions = ['jpeg', 'PNG', 'webp', 'WEBP', 'avif', 'AVIF', 'gif', 'GIF'];
+        
+        foreach ($extensions as $ext) {
+            $url = "https://example.com/proxy?url=https://cdn.example.com/image.$ext";
+            $expected = "https://cdn.example.com/image.$ext";
+            
+            $result = $this->feedzy_abstract->feedzy_image_encode($url);
+            $this->assertEquals($expected, $result, "Failed for extension: $ext");
+        }
+    }
+
+    /**
+     * Test feedzy_image_encode method with non-image and edge cases.
+     */
+    public function test_feedzy_image_encode_edge_cases() {
+        $test_cases = array(
+            // Non-image URL in query - should return original (with & escaped)
+            ['https://example.com/proxy?url=https://example.com/document.pdf&width=300', 'https://example.com/proxy?url=https://example.com/document.pdf&#038;width=300'],
+            // URL with image separated by spaces (more realistic test case)
+            ['https://example.com/proxy?description=Check this image: https://example.com/image.jpg out', 'https://example.com/image.jpg'],
+            // Invalid image format in query (with & escaped)
+            ['https://example.com/proxy?url=https://example.com/image&format=jpg', 'https://example.com/proxy?url=https://example.com/image&#038;format=jpg'],
+            // URL with special characters - this should extract the image
+            ['https://example.com/proxy?url=https://example.com/images/file%20name.jpg', 'https://example.com/images/file%20name.jpg'],
+        );
+        
+        foreach ($test_cases as [$input, $expected]) {
+            $result = $this->feedzy_abstract->feedzy_image_encode($input);
+            $this->assertEquals($expected, $result, "Failed for input: $input");
+        }
+    }
 }
