handle invalid data urls in absolute source filter

glaszig · glaszig · commit 3cbad68a6636 · 2022-06-10T21:14:01.000-03:00
simply catch exceptions coming from URI.join like the camo filter does. the truth is that arbitrary input can be mal-formatted, e.g. URI::InvalidURIError: bad URI(is not URI?): "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg'
diff --git a/lib/html/pipeline/absolute_source_filter.rb b/lib/html/pipeline/absolute_source_filter.rb
@@ -28,7 +28,12 @@ def call
                  else
                    image_subpage_url
                  end
-          element['src'] = URI.join(base, src).to_s
+
+          begin
+            element['src'] = URI.join(base, src).to_s
+          rescue Exception
+            next
+          end
         end
         doc
       end
diff --git a/test/html/pipeline/absolute_source_filter_test.rb b/test/html/pipeline/absolute_source_filter_test.rb
@@ -53,4 +53,12 @@ def test_tells_you_where_context_is_required
     end
     assert_match 'HTML::Pipeline::AbsoluteSourceFilter', exception.message
   end
+
+  def test_ignores_data_urls
+    orig = %(<p><img src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"></p>)
+    result = AbsoluteSourceFilter.call(orig, @options).to_s
+
+    expected = %(<p><img src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20696%20391'%3E%3Crect%20x='0'%20y='0'%20width='696'%20height='391'%20fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"></p>)
+    assert_equal expected, result
+  end
 end
