Do not proxy image data url

2025-08-11 17:51:01 +00:00 · 2020-10-14 22:19:05 -07:00 · 2020-10-14 22:19:05 -07:00 · 3afdf25012
commit 3afdf25012
parent 5c3e78f605
6 changed files with 111 additions and 13 deletions
--- a/reader/sanitizer/sanitizer.go
+++ b/reader/sanitizer/sanitizer.go
@ -19,6 +19,7 @@ import (

 var (
 	youtubeEmbedRegex = regexp.MustCompile(`//www\.youtube\.com/embed/(.*)`)
+	splitSrcsetRegex  = regexp.MustCompile(`,\s+`)
 )

 // Sanitize returns safe HTML.
@ -110,6 +111,8 @@ func sanitizeAttributes(baseURL, tagName string, attributes []html.Attribute) ([
 				} else {
 					continue
 				}
+			} else if tagName == "img" && attribute.Key == "src" && strings.HasPrefix(attribute.Val, "data:") {
+				value = attribute.Val
 			} else {
 				value, err = url.AbsoluteURL(baseURL, value)
 				if err != nil {
@ -439,15 +442,19 @@ Each string is composed of:
 */
 func sanitizeSrcsetAttr(baseURL, value string) string {
 	var sanitizedSources []string
-	rawSources := strings.Split(value, ",")
+	rawSources := splitSrcsetRegex.Split(value, -1)
 	for _, rawSource := range rawSources {
 		parts := strings.Split(strings.TrimSpace(rawSource), " ")
 		nbParts := len(parts)

 		if nbParts > 0 {
-			sanitizedSource, err := url.AbsoluteURL(baseURL, parts[0])
-			if err != nil {
-				continue
+			sanitizedSource := parts[0]
+			if !strings.HasPrefix(parts[0], "data:") {
+				var err error
+				sanitizedSource, err = url.AbsoluteURL(baseURL, parts[0])
+				if err != nil {
+					continue
+				}
 			}

 			if nbParts == 2 && isValidWidthOrDensityDescriptor(parts[1]) {
--- a/reader/sanitizer/sanitizer_test.go
+++ b/reader/sanitizer/sanitizer_test.go
@ -15,8 +15,18 @@ func TestValidInput(t *testing.T) {
 	}
 }

+func TestImgWithDataURL(t *testing.T) {
+	input := `<img src="data:image/gif;base64,test" alt="Example">`
+	expected := `<img src="data:image/gif;base64,test" alt="Example" loading="lazy">`
+	output := Sanitize("http://example.org/", input)
+
+	if output != expected {
+		t.Errorf(`Wrong output: %s`, output)
+	}
+}
+
 func TestImgWithSrcset(t *testing.T) {
-	input := `<img srcset="example-320w.jpg, example-480w.jpg 1.5x, example-640w.jpg 2x,example-640w.jpg 640w" src="example-640w.jpg" alt="Example">`
+	input := `<img srcset="example-320w.jpg, example-480w.jpg 1.5x,   example-640w.jpg 2x, example-640w.jpg 640w" src="example-640w.jpg" alt="Example">`
 	expected := `<img srcset="http://example.org/example-320w.jpg, http://example.org/example-480w.jpg 1.5x, http://example.org/example-640w.jpg 2x, http://example.org/example-640w.jpg 640w" src="http://example.org/example-640w.jpg" alt="Example" loading="lazy">`
 	output := Sanitize("http://example.org/", input)

@ -25,6 +35,16 @@ func TestImgWithSrcset(t *testing.T) {
 	}
 }

+func TestImgWithSrcsetAndDataURL(t *testing.T) {
+	input := `<img srcset="data:image/gif;base64,test" src="http://example.org/example-320w.jpg" alt="Example">`
+	expected := `<img srcset="data:image/gif;base64,test" src="http://example.org/example-320w.jpg" alt="Example" loading="lazy">`
+	output := Sanitize("http://example.org/", input)
+
+	if output != expected {
+		t.Errorf(`Wrong output: %s`, output)
+	}
+}
+
 func TestSourceWithSrcsetAndMedia(t *testing.T) {
 	input := `<picture><source media="(min-width: 800px)" srcset="elva-800w.jpg"></picture>`
 	expected := `<picture><source media="(min-width: 800px)" srcset="http://example.org/elva-800w.jpg"></picture>`