Merge pull request #5366 from ampproject/fix/5358-multiple-entries-in-img-srcset

Validate and sanitize image candidates in srcset attribute

Author: westonruter

.phpcs.xml.dist

@@ -65,6 +65,7 @@
 				<element value="firstChild"/>
 				<element value="lastChild"/>
 				<element value="nodeValue"/>
+				<element value="ownerElement"/>
 				<element value="DEFAULT_ARGS"/>
 				<element value="documentElement"/>
 				<element value="removeChild"/>

includes/amp-helper-functions.php

@@ -1517,6 +1517,7 @@ function amp_get_content_sanitizers( $post = null ) {
 				'force_svg_support' => [], // Always replace 'no-svg' class with 'svg' if it exists.
 			],
 		],
+		'AMP_Srcset_Sanitizer'            => [],
 		'AMP_Img_Sanitizer'               => [
 			'align_wide_support' => current_theme_supports( 'align-wide' ),
 		],
@@ -1639,8 +1640,8 @@ function amp_get_content_sanitizers( $post = null ) {
 	 */
 	$sanitizers['AMP_Style_Sanitizer']['allow_transient_caching'] = apply_filters( 'amp_parsed_css_transient_caching_allowed', true );
 
-	// Force style sanitizer, meta sanitizer, and validating sanitizer to be at end.
-	foreach ( [ 'AMP_Style_Sanitizer', 'AMP_Meta_Sanitizer', 'AMP_Tag_And_Attribute_Sanitizer' ] as $class_name ) {
+	// Force layout, style, meta, and validating sanitizers to be at the end.
+	foreach ( [ 'AMP_Layout_Sanitizer', 'AMP_Style_Sanitizer', 'AMP_Meta_Sanitizer', 'AMP_Tag_And_Attribute_Sanitizer' ] as $class_name ) {
 		if ( isset( $sanitizers[ $class_name ] ) ) {
 			$sanitizer = $sanitizers[ $class_name ];
 			unset( $sanitizers[ $class_name ] );

includes/sanitizers/class-amp-srcset-sanitizer.php

@@ -0,0 +1,126 @@
+<?php
+/**
+ * Class AMP_Srcset_Sanitizer.
+ *
+ * @package AMP
+ */
+
+/**
+ * Sanitizes the `srcset` attribute of elements.
+ *
+ * @internal
+ * @since 2.0.2
+ */
+class AMP_Srcset_Sanitizer extends AMP_Base_Sanitizer {
+
+	/**
+	 * Pattern used used for finding image candidates defined within the `srcset` attribute.
+	 * The pattern is adapted from the JS validator. See https://github.com/ampproject/amphtml/blob/5fcb29a41d06867b25ed6aca69b4aeaf96456c8c/validator/js/engine/parse-srcset.js#L72-L81.
+	 *
+	 * @var string
+	 */
+	const SRCSET_REGEX_PATTERN = '/\s*(?:,\s*)?(?<url>[^,\s]\S*[^,\s])\s*(?<dimension>[1-9]\d*[wx]|[1-9]\d*\.\d+x|0.\d*[1-9]\d*x)?\s*(?<comma>,)?\s*/';
+
+	/**
+	 * Sanitize the HTML contained in the DOMDocument received by the constructor
+	 */
+	public function sanitize() {
+		$attribute_query = $this->dom->xpath->query( '//*/@srcset' );
+
+		if ( 0 === $attribute_query->length ) {
+			return;
+		}
+
+		foreach ( $attribute_query as $attribute ) {
+			/** @var DOMAttr $attribute */
+			if ( ! empty( $attribute->value ) ) {
+				$this->sanitize_srcset_attribute( $attribute );
+			}
+		}
+	}
+
+	/**
+	 * Parses the `srcset` attribute and validates each image candidate defined.
+	 *
+	 * Validation errors will be raised if the attribute value is malformed or contains image candidates
+	 * with the same width or pixel density defined.
+	 *
+	 * @param DOMAttr $attribute Srcset attribute.
+	 */
+	private function sanitize_srcset_attribute( DOMAttr $attribute ) {
+		$srcset = $attribute->value;
+
+		// Bail and raise a validation error if no image candidates were found or the last matched group does not
+		// match the end of the `srcset`.
+		if (
+			! preg_match_all( self::SRCSET_REGEX_PATTERN, $srcset, $matches )
+			||
+			end( $matches[0] ) !== substr( $srcset, -strlen( end( $matches[0] ) ) )
+		) {
+
+			$validation_error = [
+				'code' => AMP_Tag_And_Attribute_Sanitizer::INVALID_ATTR_VALUE,
+			];
+			$this->remove_invalid_attribute( $attribute->ownerElement, $attribute, $validation_error );
+			return;
+		}
+
+		$dimension_count = count( $matches['dimension'] );
+		$commas_count    = count( array_filter( $matches['comma'] ) );
+
+		// Bail and raise a validation error if the number of dimensions does not match the number of URLs, or there
+		// are not enough commas to separate the image candidates.
+		if ( count( $matches['url'] ) !== $dimension_count || ( $dimension_count - 1 ) !== $commas_count ) {
+			$validation_error = [
+				'code' => AMP_Tag_And_Attribute_Sanitizer::INVALID_ATTR_VALUE,
+			];
+			$this->remove_invalid_attribute( $attribute->ownerElement, $attribute, $validation_error );
+			return;
+		}
+
+		// Bail if there are no duplicate image candidates.
+		// Note: array_flip() is used as a faster alternative to array_unique(). See https://stackoverflow.com/a/8321709/93579.
+		if ( count( array_flip( $matches['dimension'] ) ) === $dimension_count ) {
+			return;
+		}
+
+		$image_candidates     = [];
+		$duplicate_dimensions = [];
+
+		foreach ( $matches['dimension'] as $index => $dimension ) {
+			if ( empty( trim( $dimension ) ) ) {
+				$dimension = '1x';
+			}
+
+			// Catch if there are duplicate dimensions that have different URLs. In such cases a validation error will be raised.
+			if ( isset( $image_candidates[ $dimension ] ) && $matches['url'][ $index ] !== $image_candidates[ $dimension ] ) {
+				$duplicate_dimensions[] = $dimension;
+				continue;
+			}
+
+			$image_candidates[ $dimension ] = $matches['url'][ $index ];
+		}
+
+		// If there are duplicates, raise a validation error and stop short-circuit processing if the error is not removed.
+		if ( ! empty( $duplicate_dimensions ) ) {
+			$validation_error = [
+				'code'                 => AMP_Tag_And_Attribute_Sanitizer::DUPLICATE_DIMENSIONS,
+				'duplicate_dimensions' => $duplicate_dimensions,
+			];
+			if ( ! $this->should_sanitize_validation_error( $validation_error, [ 'node' => $attribute ] ) ) {
+				return;
+			}
+		}
+
+		// Otherwise, output the normalized/validated srcset value.
+		$attribute->value = implode(
+			', ',
+			array_map(
+				static function ( $dimension ) use ( $image_candidates ) {
+					return "{$image_candidates[ $dimension ]} {$dimension}";
+				},
+				array_keys( $image_candidates )
+			)
+		);
+	}
+}

includes/sanitizers/class-amp-tag-and-attribute-sanitizer.php

@@ -46,6 +46,7 @@ class AMP_Tag_And_Attribute_Sanitizer extends AMP_Base_Sanitizer {
 	const DISALLOWED_RELATIVE_URL              = 'DISALLOWED_RELATIVE_URL';
 	const DISALLOWED_TAG                       = 'DISALLOWED_TAG';
 	const DISALLOWED_TAG_ANCESTOR              = 'DISALLOWED_TAG_ANCESTOR';
+	const DUPLICATE_DIMENSIONS                 = 'DUPLICATE_DIMENSIONS';
 	const DUPLICATE_ONEOF_ATTRS                = 'DUPLICATE_ONEOF_ATTRS';
 	const DUPLICATE_UNIQUE_TAG                 = 'DUPLICATE_UNIQUE_TAG';
 	const IMPLIED_LAYOUT_INVALID               = 'IMPLIED_LAYOUT_INVALID';
@@ -1942,8 +1943,8 @@ private function check_attr_spec_rule_allowed_protocol( DOMElement $node, $attr_
 	 */
 	private function extract_attribute_urls( DOMAttr $attribute_node, $spec_attr_name = null ) {
 		/*
-		 * Handle the srcset special case where the attribute value can contain multiple parts, each in the format `URL [WIDTH] [PIXEL_DENSITY]`.
-		 * So we split the srcset attribute value by commas and then return the first token of each item, omitting width descriptor and pixel density descriptor.
+		 * Handle the srcset special case where the attribute value can contain multiple parts, each in the format `URL [WIDTH OR PIXEL_DENSITY]`.
+		 * So we split the srcset attribute value by commas and then return the first token of each item, omitting width or pixel density descriptor.
 		 * This splitting cannot be done for other URLs because it a comma can appear in a URL itself generally, but the syntax can break in srcset,
 		 * unless the commas are URL-encoded.
 		 */

includes/validation/class-amp-validation-error-taxonomy.php

@@ -3166,10 +3166,9 @@ static function ( $attribute_name ) {
 			case AMP_Tag_And_Attribute_Sanitizer::INVALID_ATTR_VALUE_REGEX_CASEI:
 			case AMP_Tag_And_Attribute_Sanitizer::INVALID_DISALLOWED_VALUE_REGEX:
 				return sprintf(
-					/* translators: %1$s is the attribute name, %2$s is the invalid attribute value */
-					esc_html__( 'The attribute %1$s is set to the invalid value %2$s', 'amp' ),
-					'<code>' . esc_html( $validation_error['node_name'] ) . '</code>',
-					'<code>' . esc_html( $validation_error['element_attributes'][ $validation_error['node_name'] ] ) . '</code>'
+					/* translators: %s is the attribute name */
+					esc_html__( 'The attribute %s is set to an invalid value', 'amp' ),
+					'<code>' . esc_html( $validation_error['node_name'] ) . '</code>'
 				);
 
 			case AMP_Tag_And_Attribute_Sanitizer::INVALID_URL_PROTOCOL:
@@ -3206,6 +3205,14 @@ static function ( $attribute_name ) {
 					'<code>' . esc_html( $validation_error['node_name'] ) . '</code>'
 				);
 
+			case AMP_Tag_And_Attribute_Sanitizer::DUPLICATE_DIMENSIONS:
+				return sprintf(
+					/* translators: %1$s is the attribute name, %2$s is the tag name */
+					esc_html__( 'Multiple image candidates with the same width or pixel density found in attribute %1$s in tag %2$s', 'amp' ),
+					'<code>' . esc_html( $validation_error['node_name'] ) . '</code>',
+					'<code>' . esc_html( $validation_error['parent_name'] ) . '</code>'
+				);
+
 			case AMP_Tag_And_Attribute_Sanitizer::INVALID_LAYOUT_WIDTH:
 			case AMP_Tag_And_Attribute_Sanitizer::INVALID_LAYOUT_HEIGHT:
 			case AMP_Tag_And_Attribute_Sanitizer::INVALID_LAYOUT_AUTO_HEIGHT:
@@ -3339,6 +3346,8 @@ public static function get_source_key_label( $key, $validation_error ) {
 				return __( 'URL', 'amp' );
 			case 'message':
 				return __( 'Message', 'amp' );
+			case 'duplicate_dimensions':
+				return __( 'Duplicate dimensions', 'amp' );
 			default:
 				return $key;
 		}

tests/php/test-amp-helper-functions.php

@@ -1315,7 +1315,8 @@ static function( $classes ) {
 			}
 		);
 		$ordered_sanitizers = array_keys( amp_get_content_sanitizers() );
-		$this->assertEquals( 'Even_After_Validating_Sanitizer', $ordered_sanitizers[ count( $ordered_sanitizers ) - 4 ] );
+		$this->assertEquals( 'Even_After_Validating_Sanitizer', $ordered_sanitizers[ count( $ordered_sanitizers ) - 5 ] );
+		$this->assertEquals( 'AMP_Layout_Sanitizer', $ordered_sanitizers[ count( $ordered_sanitizers ) - 4 ] );
 		$this->assertEquals( 'AMP_Style_Sanitizer', $ordered_sanitizers[ count( $ordered_sanitizers ) - 3 ] );
 		$this->assertEquals( 'AMP_Meta_Sanitizer', $ordered_sanitizers[ count( $ordered_sanitizers ) - 2 ] );
 		$this->assertEquals( 'AMP_Tag_And_Attribute_Sanitizer', $ordered_sanitizers[ count( $ordered_sanitizers ) - 1 ] );

tests/php/test-class-amp-srcset-sanitizer.php

@@ -0,0 +1,158 @@
+<?php
+/**
+ * Class AMP_Srcset_Sanitizer_Test.
+ *
+ * @package AMP
+ */
+
+use AmpProject\AmpWP\Tests\Helpers\MarkupComparison;
+
+/**
+ * Class AMP_Srcset_Sanitizer_Test
+ *
+ * @coversDefaultClass AMP_Srcset_Sanitizer
+ */
+class AMP_Srcset_Sanitizer_Test extends WP_UnitTestCase {
+
+	use MarkupComparison;
+
+	/**
+	 * Provide the data to test the sanitize() method.
+	 *
+	 * @return array[] Test data.
+	 */
+	public function data_sanitize() {
+		return [
+			'img_with_valid_srcset'                     => [
+				'<img src="https://example.com/image.jpg" srcset="https://example.com/image.jpg, https://example.com/image-1.jpg     512w, https://example.com/image-2.jpg 1024w   , https://example.com/image-3.jpg 300w, https://example.com/image-4.jpg 768w" width="350" height="150">',
+				null,
+			],
+
+			'img_with_duplicate_img_candidate_but_same_url' => [
+				'<img src="https://example.com/image.jpg" srcset="https://example.com/image.jpg, https://example.com/image-1.jpg     1024w, https://example.com/image-1.jpg 1024w   , https://example.com/image-2.jpg 300w, https://example.com/image-3.jpg 768w" width="350" height="150">',
+				'<img src="https://example.com/image.jpg" srcset="https://example.com/image.jpg 1x, https://example.com/image-1.jpg 1024w, https://example.com/image-2.jpg 300w, https://example.com/image-3.jpg 768w" width="350" height="150">',
+			],
+
+			'img_with_duplicate_img_candidate_but_different_url' => [
+				'<img src="https://example.com/image.jpg" srcset="https://example.com/image.jpg, https://example.com/image-1.jpg     1024w, https://example.com/image-2.jpg 1024w   , https://example.com/image-2.jpg 300w, https://example.com/image-3.jpg 768w" width="350" height="150">',
+				'<img src="https://example.com/image.jpg" srcset="https://example.com/image.jpg 1x, https://example.com/image-1.jpg 1024w, https://example.com/image-2.jpg 300w, https://example.com/image-3.jpg 768w" width="350" height="150">',
+				[ AMP_Tag_And_Attribute_Sanitizer::DUPLICATE_DIMENSIONS ],
+			],
+
+			'amp_img_srcset_missing_comma'              => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="https://example.com/image-1.jpg 1024w https://example.com/image-2.jpg 1024w">',
+				'<img src="https://example.com/image.jpg" height="100" width="200">',
+				[ AMP_Tag_And_Attribute_Sanitizer::INVALID_ATTR_VALUE ],
+			],
+
+			'amp_img_srcset_empty'                      => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="">',
+				null,
+			],
+
+			'amp_img_srcset_whitespace'                 => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="    ">',
+				'<img src="https://example.com/image.jpg" height="100" width="200">',
+				[ AMP_Tag_And_Attribute_Sanitizer::INVALID_ATTR_VALUE ],
+			],
+
+			'amp_img_srcset_invalid_bare_number'        => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="1">',
+				'<img src="https://example.com/image.jpg" height="100" width="200">',
+				[ AMP_Tag_And_Attribute_Sanitizer::INVALID_ATTR_VALUE ],
+			],
+
+			'amp_img_srcset_invalid_dimension_unit'     => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="https://example.com/image.jpg 500px">',
+				'<img src="https://example.com/image.jpg" height="100" width="200">',
+				[ AMP_Tag_And_Attribute_Sanitizer::INVALID_ATTR_VALUE ],
+			],
+
+			'amp_img_srcset_invalid_space_in_dimension' => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="https://example.com/image.jpg 2 x">',
+				'<img src="https://example.com/image.jpg" height="100" width="200">',
+				[ AMP_Tag_And_Attribute_Sanitizer::INVALID_ATTR_VALUE ],
+			],
+
+			'amp_img_srcset_invalid_dimension_type'     => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="https://example.com/image.jpg 5kw">',
+				'<img src="https://example.com/image.jpg" height="100" width="200">',
+				[ AMP_Tag_And_Attribute_Sanitizer::INVALID_ATTR_VALUE ],
+			],
+
+			'amp_img_srcset_invalid_width_descriptor'   => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="https://example.com/image.jpg 5.2w">',
+				'<img src="https://example.com/image.jpg" height="100" width="200">',
+				[ AMP_Tag_And_Attribute_Sanitizer::INVALID_ATTR_VALUE ],
+			],
+
+			'amp_img_srcset_invalid_zero_width'         => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="https://example.com/image.jpg 0w">',
+				'<img src="https://example.com/image.jpg" height="100" width="200">',
+				[ AMP_Tag_And_Attribute_Sanitizer::INVALID_ATTR_VALUE ],
+			],
+
+			'amp_img_srcset_invalid_zero_pixel_density' => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="https://example.com/image.jpg 0.0x">',
+				'<img src="https://example.com/image.jpg" height="100" width="200">',
+				[ AMP_Tag_And_Attribute_Sanitizer::INVALID_ATTR_VALUE ],
+			],
+
+			'amp_img_srcset_valid_pixel_density'        => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="https://example.com/image.jpg 5x">',
+				null,
+			],
+
+			'amp_img_srcset_valid_float_pixel_density'  => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="https://example.com/image.jpg 5.2x">',
+				null,
+			],
+
+			'amp_img_srcset_valid_float_pixel_density_with_leading_zero' => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="https://example.com/image.jpg 0.002x">',
+				null,
+			],
+
+			'amp_img_srcset_invalid_tokens'             => [
+				'<img src="https://example.com/image.jpg" height="100" width="200" srcset="bad bad">',
+				'<img src="https://example.com/image.jpg" height="100" width="200">',
+				[ AMP_Tag_And_Attribute_Sanitizer::INVALID_ATTR_VALUE ],
+			],
+		];
+	}
+
+	/**
+	 * Test the sanitize() method.
+	 *
+	 * @covers ::sanitize()
+	 * @dataProvider data_sanitize()
+	 *
+	 * @param string      $source               Source.
+	 * @param string|null $expected             Expected. If null, then no change from source.
+	 * @param array       $expected_error_codes Expected error codes.
+	 */
+	public function test_sanitize( $source, $expected = null, $expected_error_codes = [] ) {
+		$error_codes = [];
+		if ( null === $expected ) {
+			$expected = $source;
+		}
+
+		$args = [
+			'use_document_element'      => true,
+			'validation_error_callback' => static function( $error ) use ( &$error_codes ) {
+				$error_codes[] = $error['code'];
+			},
+		];
+
+		$dom = AMP_DOM_Utils::get_dom_from_content( $source );
+
+		$sanitizer = new AMP_Srcset_Sanitizer( $dom, $args );
+		$sanitizer->sanitize();
+
+		$this->assertEqualSets( $error_codes, $expected_error_codes );
+
+		$content = AMP_DOM_Utils::get_content_from_dom( $dom );
+
+		$this->assertEqualMarkup( $expected, $content );
+	}
+}

tests/php/test-tag-and-attribute-sanitizer.php

@@ -2281,8 +2281,8 @@ function getRemoteData() { /*...*/ }
 				[ AMP_Tag_And_Attribute_Sanitizer::MISSING_URL, AMP_Tag_And_Attribute_Sanitizer::ATTR_REQUIRED_BUT_MISSING ],
 			],
 
-			'amp_img_missing_url'                          => [
-				'<amp-img src="" height="100" width="200"></amp-img>',
+			'amp_img_missing_srcset'                       => [
+				'<amp-img srcset="" height="100" width="200"></amp-img>',
 				'',
 				[],
 				[ AMP_Tag_And_Attribute_Sanitizer::MISSING_URL, AMP_Tag_And_Attribute_Sanitizer::ATTR_REQUIRED_BUT_MISSING ],