From e9c062a189cfad71922fc576d636610da18006d4 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Fri, 18 Jun 2021 11:20:57 +0300
Subject: [PATCH] UrlHelper::rewrite_relative():

 - support invoking specifying owner URL element/attribute
 - restrict mailto/magnet/tel schemes for A href
 - allow some data: base64 image types for IMG src

Sanitizer::sanitize():

 - when checking href and src attributes, pass element tagname and attribute to rewrite_relative()
---
 classes/sanitizer.php |  6 +++---
 classes/urlhelper.php | 21 +++++++++++++++++----
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/classes/sanitizer.php b/classes/sanitizer.php
index 07766dc16..0a444a296 100644
--- a/classes/sanitizer.php
+++ b/classes/sanitizer.php
@@ -74,7 +74,7 @@ class Sanitizer {
 
 			if ($entry->hasAttribute('href')) {
 				$entry->setAttribute('href',
-					rewrite_relative_url($rewrite_base_url, $entry->getAttribute('href')));
+					UrlHelper::rewrite_relative($rewrite_base_url, $entry->getAttribute('href'), $entry->tagName, "href"));
 
 				$entry->setAttribute('rel', 'noopener noreferrer');
 				$entry->setAttribute("target", "_blank");
@@ -82,7 +82,7 @@ class Sanitizer {
 
 			if ($entry->hasAttribute('src')) {
 				$entry->setAttribute('src',
-					rewrite_relative_url($rewrite_base_url, $entry->getAttribute('src')));
+					UrlHelper::rewrite_relative($rewrite_base_url, $entry->getAttribute('src'), $entry->tagName, "src"));
 			}
 
 			if ($entry->nodeName == 'img') {
@@ -94,7 +94,7 @@ class Sanitizer {
 				$matches = RSSUtils::decode_srcset($entry->getAttribute('srcset'));
 
 				for ($i = 0; $i < count($matches); $i++) {
-					$matches[$i]["url"] = rewrite_relative_url($rewrite_base_url, $matches[$i]["url"]);
+					$matches[$i]["url"] = UrlHelper::rewrite_relative($rewrite_base_url, $matches[$i]["url"]);
 				}
 
 				$entry->setAttribute("srcset", RSSUtils::encode_srcset($matches));
diff --git a/classes/urlhelper.php b/classes/urlhelper.php
index 648d609a4..b4545939f 100644
--- a/classes/urlhelper.php
+++ b/classes/urlhelper.php
@@ -1,6 +1,6 @@
 <?php
 class UrlHelper {
-	const ALLOWED_RELATIVE_SCHEMES = [
+	const EXTRA_HREF_SCHEMES = [
 		"magnet",
 		"mailto",
 		"tel"
@@ -27,22 +27,35 @@ class UrlHelper {
 
 	/**
 	 * Converts a (possibly) relative URL to a absolute one, using provided base URL.
+	 * Provides some exceptions for additional schemes like data: if called with owning element/attribute.
 	 *
 	 * @param string $base_url     Base URL (i.e. from where the document is)
 	 * @param string $rel_url Possibly relative URL in the document
+	 * @param string $owner_element Owner node tag name (i.e. A) (optional)
+	 * @param string $owner_attribute Owner attribute (i.e. href) (optional)
 	 *
 	 * @return string Absolute URL
 	 */
-	public static function rewrite_relative($base_url, $rel_url) {
+	public static function rewrite_relative($base_url, $rel_url, string $owner_element = "", string $owner_attribute = "") {
 
 		$rel_parts = parse_url($rel_url);
 
 		if (!empty($rel_parts['host']) && !empty($rel_parts['scheme'])) {
 			return self::validate($rel_url);
+
+		// protocol-relative URL (rare but they exist)
 		} else if (strpos($rel_url, "//") === 0) {
-			# protocol-relative URL (rare but they exist)
 			return self::validate("https:" . $rel_url);
-		} else if (array_search($rel_parts["scheme"] ?? "", self::ALLOWED_RELATIVE_SCHEMES, true) !== false) {
+		// allow some extra schemes for A href
+		} else if (in_array($rel_parts["scheme"] ?? "", self::EXTRA_HREF_SCHEMES) &&
+				$owner_element == "a" &&
+				$owner_attribute == "href") {
+			return $rel_url;
+		// allow limited subset of inline base64-encoded images for IMG elements
+		} else if ($rel_parts["scheme"] == "data" &&
+				preg_match('%^image/(webp|gif|jpg|png|svg);base64,%', $rel_parts["path"]) &&
+				$owner_element == "img" &&
+				$owner_attribute == "src") {
 			return $rel_url;
 		} else {
 			$base_parts = parse_url($base_url);