From 8567f8ba7c2f83a91e3758cfe4816d2fe6244ba9 Mon Sep 17 00:00:00 2001
From: selul <marius.cristea@vertistudio.com>
Date: Wed, 6 Feb 2019 17:20:53 +0200
Subject: [PATCH] fix: image url replacement on non whitelisted urls

---
 inc/app_replacer.php    |  4 ++++
 inc/url_replacer.php    |  4 ++++
 tests/test-replacer.php | 32 ++++++++++++++++++++++++--------
 3 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/inc/app_replacer.php b/inc/app_replacer.php
index 74eb0537..46c38fdb 100644
--- a/inc/app_replacer.php
+++ b/inc/app_replacer.php
@@ -273,6 +273,10 @@ public function can_replace_url( $url ) {
 		}
 		$url = parse_url( $url );
 
+		if ( ! isset( $url['host'] ) ) {
+			return false;
+		}
+
 		return isset( $this->possible_sources[ $url['host'] ] );
 	}
 
diff --git a/inc/url_replacer.php b/inc/url_replacer.php
index 3fa3edc8..645b5bf2 100644
--- a/inc/url_replacer.php
+++ b/inc/url_replacer.php
@@ -51,6 +51,7 @@ public function init() {
 		Optml_Image::$watermark         = new Optml_Watermark( $this->settings->get_site_settings()['watermark'] );
 
 		add_filter( 'optml_content_url', array( $this, 'build_image_url' ), 1, 2 );
+
 	}
 
 	/**
@@ -79,6 +80,9 @@ public function build_image_url(
 		if ( strpos( $url, Optml_Config::$service_url ) !== false ) {
 			return $url;
 		}
+		if ( ! $this->can_replace_url( $url ) ) {
+			return $url;
+		}
 		if ( ! $this->is_valid_mimetype_from_url( $url ) ) {
 			return $url;
 		}
diff --git a/tests/test-replacer.php b/tests/test-replacer.php
index e938a257..5eb29326 100644
--- a/tests/test-replacer.php
+++ b/tests/test-replacer.php
@@ -34,7 +34,7 @@ class Test_Replacer extends WP_UnitTestCase {
 	';
 	const IMAGE_SIZE_NO_CLASS = '<div id="wp-custom-header" class="wp-custom-header"><img src="http://example.org/wp-content/themes/twentyseventeen/assets/images/header-100x100.png" alt="Test" /></div></div>';
 
-	const ELEMENTOR_DATA = '[{"id":"428f250c","elType":"section","settings":{"structure":"33","content_width":{"unit":"px","size":1140},"content_position":"middle","gap":"extended","padding":{"unit":"px","top":"10","right":"0","bottom":"10","left":"0","isLinked":false},"padding_mobile":{"unit":"px","top":"0","right":"0","bottom":"0","left":"0","isLinked":true}},"elements":[{"id":"1b041a88","elType":"column","settings":{"_column_size":25,"_inline_size":20.66,"_inline_size_tablet":25,"_inline_size_mobile":50,"content_position":"top"},"elements":[{"id":"34d685ef","elType":"widget","settings":{"image":{"id":36009,"url":"https:\/\/www.codeinwp.com\/wp-content\/uploads\/2018\/05\/codeinwp-logo.svg"},"image_size":"full","link_to":"custom","link":{"url":"https:\/\/www.codeinwp.com\/","is_external":"","nofollow":""},"align":"left","width":{"unit":"px","size":120},"space":{"unit":"%","size":100},"opacity":{"unit":"px","size":1},"_margin":{"unit":"px","top":"0","right":"0","bottom":"0","left":"0","isLinked":false},"_element_id":"logo"},"elements":[],"widgetType":"image"}],"isInner":false},{"id":"437f5756","elType":"column","settings":{"_column_size":50,"_inline_size":71.992000000000004,"_inline_size_tablet":70,"_inline_size_mobile":40,"padding_mobile":{"unit":"px","top":"0","right":"0","bottom":"0","left":"0","isLinked":true}},"elements":[{"id":"3c7d3ebf","elType":"widget","settings":{"align_items":"right","pointer":"none","color_menu_item":"#0a4266","menu_typography_typography":"custom","menu_typography_font_weight":"bold","menu_typography_text_transform":"lowercase","color_menu_item_hover":"#ec4646","color_menu_item_active":"#ec4646","menu_typography_font_size":{"unit":"px","size":18},"_margin":{"unit":"px","top":"0","right":"0","bottom":"0","left":"0","isLinked":false},"indicator":"none","dropdown":"mobile","full_width":"stretch","menu_typography_font_size_tablet":{"unit":"px","size":18},"padding_horizontal_menu_item_tablet":{"unit":"px","size":14},"toggle_size":{"unit":"px","size":25},"_padding":{"unit":"px","top":"0","right":"0","bottom":"0","left":"0","isLinked":false},"color_dropdown_item":"#0a4266","color_dropdown_item_hover":"#ec4646","background_color_dropdown_item_hover":"rgba(0,0,0,0)","dropdown_typography_typography":"custom","dropdown_typography_font_family":"proxima-nova","dropdown_typography_font_size":{"unit":"px","size":16},"menu_typography_font_size_mobile":{"unit":"px","size":18},"dropdown_typography_font_size_mobile":{"unit":"px","size":25},"dropdown_typography_text_transform":"lowercase","menu":"main-menu-homepage"},"elements":[],"widgetType":"nav-menu"}],"isInner":false},{"id":"7fafd26c","elType":"column","settings":{"_column_size":25,"_inline_size":7.3479999999999999,"_inline_size_tablet":5,"_inline_size_mobile":2},"elements":[{"id":"8f16004","elType":"widget","settings":{"image":{"url":"https:\/\/www.codeinwp.com\/wp-content\/uploads\/2018\/05\/test.png","id":36135},"image_size":"custom","width":{"unit":"px","size":30},"space":{"unit":"%","size":30},"_element_id":"header-trigger"},"elements":[],"widgetType":"image"}],"isInner":false}],"isInner":false}]';
+	const ELEMENTOR_DATA = '[{"id":"428f250c","elType":"section","settings":{"structure":"33","content_width":{"unit":"px","size":1140},"content_position":"middle","gap":"extended","padding":{"unit":"px","top":"10","right":"0","bottom":"10","left":"0","isLinked":false},"padding_mobile":{"unit":"px","top":"0","right":"0","bottom":"0","left":"0","isLinked":true}},"elements":[{"id":"1b041a88","elType":"column","settings":{"_column_size":25,"_inline_size":20.66,"_inline_size_tablet":25,"_inline_size_mobile":50,"content_position":"top"},"elements":[{"id":"34d685ef","elType":"widget","settings":{"image":{"id":36009,"url":"https:\/\/www.example.org\/wp-content\/uploads\/2018\/05\/codeinwp-logo.svg"},"image_size":"full","link_to":"custom","link":{"url":"https:\/\/www.example.org\/","is_external":"","nofollow":""},"align":"left","width":{"unit":"px","size":120},"space":{"unit":"%","size":100},"opacity":{"unit":"px","size":1},"_margin":{"unit":"px","top":"0","right":"0","bottom":"0","left":"0","isLinked":false},"_element_id":"logo"},"elements":[],"widgetType":"image"}],"isInner":false},{"id":"437f5756","elType":"column","settings":{"_column_size":50,"_inline_size":71.992000000000004,"_inline_size_tablet":70,"_inline_size_mobile":40,"padding_mobile":{"unit":"px","top":"0","right":"0","bottom":"0","left":"0","isLinked":true}},"elements":[{"id":"3c7d3ebf","elType":"widget","settings":{"align_items":"right","pointer":"none","color_menu_item":"#0a4266","menu_typography_typography":"custom","menu_typography_font_weight":"bold","menu_typography_text_transform":"lowercase","color_menu_item_hover":"#ec4646","color_menu_item_active":"#ec4646","menu_typography_font_size":{"unit":"px","size":18},"_margin":{"unit":"px","top":"0","right":"0","bottom":"0","left":"0","isLinked":false},"indicator":"none","dropdown":"mobile","full_width":"stretch","menu_typography_font_size_tablet":{"unit":"px","size":18},"padding_horizontal_menu_item_tablet":{"unit":"px","size":14},"toggle_size":{"unit":"px","size":25},"_padding":{"unit":"px","top":"0","right":"0","bottom":"0","left":"0","isLinked":false},"color_dropdown_item":"#0a4266","color_dropdown_item_hover":"#ec4646","background_color_dropdown_item_hover":"rgba(0,0,0,0)","dropdown_typography_typography":"custom","dropdown_typography_font_family":"proxima-nova","dropdown_typography_font_size":{"unit":"px","size":16},"menu_typography_font_size_mobile":{"unit":"px","size":18},"dropdown_typography_font_size_mobile":{"unit":"px","size":25},"dropdown_typography_text_transform":"lowercase","menu":"main-menu-homepage"},"elements":[],"widgetType":"nav-menu"}],"isInner":false},{"id":"7fafd26c","elType":"column","settings":{"_column_size":25,"_inline_size":7.3479999999999999,"_inline_size_tablet":5,"_inline_size_mobile":2},"elements":[{"id":"8f16004","elType":"widget","settings":{"image":{"url":"https:\/\/www.example.org\/wp-content\/uploads\/2018\/05\/test.png","id":36135},"image_size":"custom","width":{"unit":"px","size":30},"space":{"unit":"%","size":30},"_element_id":"header-trigger"},"elements":[],"widgetType":"image"}],"isInner":false}],"isInner":false}]';
 
 	const TEST_STAGING = '<div class="before-footer">
 				<div class="codeinwp-container">
@@ -42,6 +42,12 @@ class Test_Replacer extends WP_UnitTestCase {
 					<img src="https://www.example.org/wp-content/uploads/2018/05/brands.png">
 				</div>
 			</div>';
+	const TEST_WRONG_URLS = '<div class="before-footer">
+				<div class="codeinwp-container">
+					<p class="featuredon">Featured On</p>
+					<img src="https://www.codeinwp.org/wp-content/uploads/2018/05/brands.png">https://www.codeinwp.org/wp-content/uploads/2018/05/brands.png
+				</div>
+			</div>';
 
 	public static $sample_post;
 	public static $sample_attachement;
@@ -112,6 +118,13 @@ public function test_style_replacement() {
 
 	}
 
+	public function test_replacement_non_whitelisted_urls() {
+		$replaced_content = Optml_Manager::instance()->replace_content( self::TEST_WRONG_URLS );
+
+		$this->assertNotContains( 'i.optimole.com', $replaced_content );
+		$this->assertContains( 'https://www.codeinwp.org', $replaced_content );
+	}
+
 	public function test_non_allowed_extensions() {
 		$replaced_content = Optml_Manager::instance()->replace_content( ( self::CSS_STYLE . self::IMG_TAGS . self::WRONG_EXTENSION ) );
 		$this->assertContains( 'i.optimole.com', $replaced_content );
@@ -123,7 +136,7 @@ public function test_elementor_data() {
 		$replaced_content = Optml_Manager::instance()->replace_content( ( self::ELEMENTOR_DATA ), 'elementor' );
 		$this->assertContains( 'i.optimole.com', $replaced_content );
 		//Test if wrong extension is still present in the output.
-		$this->assertNotContains( "\"https:\/\/www.codeinwp.com\/wp-content", $replaced_content );
+		$this->assertNotContains( "\"https:\/\/www.example.org\/wp-content", $replaced_content );
 	}
 
 	public function test_max_size_height() {
@@ -146,10 +159,10 @@ public function test_cropping_sizes() {
 		global $_test_posssible_values_y_sizes;
 		global $_test_posssible_values_x_sizes;
 		$allowed_gravities = array(
-			'left'          => Optml_Resize::GRAVITY_WEST,
-			'right'         => Optml_Resize::GRAVITY_EAST,
-			'top'           => Optml_Resize::GRAVITY_NORTH,
-			'bottom'        => Optml_Resize::GRAVITY_SOUTH,
+			'left'         => Optml_Resize::GRAVITY_WEST,
+			'right'        => Optml_Resize::GRAVITY_EAST,
+			'top'          => Optml_Resize::GRAVITY_NORTH,
+			'bottom'       => Optml_Resize::GRAVITY_SOUTH,
 			'lefttop'      => Optml_Resize::GRAVITY_NORTH_WEST,
 			'leftbottom'   => Optml_Resize::GRAVITY_SOUTH_WEST,
 			'righttop'     => Optml_Resize::GRAVITY_NORTH_EAST,
@@ -171,7 +184,7 @@ public function test_cropping_sizes() {
 				if ( ! isset( $allowed_gravities[ $x_value . $y_value ] ) ) {
 					$gravity_key = Optml_Resize::GRAVITY_CENTER;
 				} else {
-					$gravity_key = $allowed_gravities[ $x_value  . $y_value ];
+					$gravity_key = $allowed_gravities[ $x_value . $y_value ];
 				}
 
 				$attachement_url = wp_get_attachment_image_src( self::$sample_attachement, 'sample_size_h_' . $x_value . $y_value );
@@ -242,12 +255,14 @@ public function test_double_replacement() {
 		$this->assertContains( 'i.optimole.com', $doubled_ccontent );
 		$this->assertEquals( 2, substr_count( $doubled_ccontent, 'i.optimole.com' ) );
 	}
-	public function test_image_size_2_crop(){
+
+	public function test_image_size_2_crop() {
 		$replaced_content = Optml_Manager::instance()->replace_content( self::IMAGE_SIZE_NO_CLASS );
 
 		$this->assertContains( 'rt:fill', $replaced_content );
 		$this->assertContains( 'i.optimole.com', $replaced_content );
 	}
+
 	public function test_replacement_with_image_size() {
 		//Nasty hack to fetch old url from
 		$attachement = wp_get_attachment_image_src( self::$sample_attachement, 'medium' );
@@ -282,6 +297,7 @@ public function test_parse_json_data_disabled() {
 
 		$this->assertEquals( 2, substr_count( $replaced_content2, '/http:\/\/' ) );
 	}
+
 	public function test_filter_sizes_attr() {
 
 		global $wp_current_filter;