Mahara

Rewrite "mixed content" URLs via an HTMLPurifier custom filter

Bug #1563641 reported by Aaron Wells on 2016-03-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	Medium	Cecilia Vela Gurovic	Mahara 19.04.0

Bug Description

"Mixed content" refers to the scenario where a web page is served via HTTPS, but it includes assets that are served via an HTTP URL. See https://developer.mozilla.org/en-US/docs/Security/Mixed_content for some discussion of this.

In Bug 1463629 we fixed this issue for embedded iframes, by patching the HTMLPurifier core class HTMLPurifier_URIFilter_SafeIframe so that, in addition to filtering iframes for an allowed set of URLs, it also transformed them from HTTPS to HTTP if needed.

After having recently done some work on HTMLPurifier for other bugs, and becoming more familiar with their API, it now becomes apparent to me that this was a bit of a hack (patching core code should have told me this anyway). What we should have done is, instead, write up a new custom URIFilter specifically for rewriting URI's from HTTP to HTTPS in this way, and used that instead.

Doing it that way will make future HTMLPurifier upgrades easier, by eliminating the need to patch that file.

Tags:

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2016-03-30:

See http://htmlpurifier.org/docs/enduser-uri-filter.html for details about how to write a custom URI filter.

Changed in mahara:
milestone:	none → 16.10.0
assignee:	nobody → Aaron Wells (u-aaronw)
importance:	Undecided → Low
status:	New → Confirmed

Robert Lyon (robertl-9) on 2016-10-20

Changed in mahara:
milestone:	16.10.0 → 16.10.1

Robert Lyon (robertl-9) on 2016-10-21

Changed in mahara:
milestone:	16.10.1 → 17.04.0

Kristina Hoeppner (kris-hoeppner) on 2017-03-20

Changed in mahara:
assignee:	Aaron Wells (u-aaronw) → nobody
tags:	added: htmlpurifier
Changed in mahara:
importance:	Low → Medium
milestone:	17.04.0 → 17.10.0

Robert Lyon (robertl-9) on 2017-09-20

Changed in mahara:
milestone:	17.10.0 → 18.04.0

Robert Lyon (robertl-9) on 2018-03-07

Changed in mahara:
milestone:	18.04.0 → 18.10.0

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2018-08-30:

To be revisited when we upgrade HTMLpurifier for 19.04

Changed in mahara:
milestone:	18.10.0 → 19.04.0
assignee:	nobody → Cecilia Vela Gurovic (ceciliavg)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2019-03-13: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/9625

Cecilia Vela Gurovic (ceciliavg) on 2019-03-13

Changed in mahara:
status:	Confirmed → In Progress

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2019-04-04: A change has been merged

Reviewed: https://reviews.mahara.org/9625
Committed: https://git.mahara.org/mahara/mahara/commit/49d1c1b9a75c07fccaa12bcb31ed34f5f0ec3f3a
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 49d1c1b9a75c07fccaa12bcb31ed34f5f0ec3f3a
Author: Cecilia Vela Gurovic <email address hidden>
Date: Wed Mar 13 15:50:36 2019 +1300

Bug 1563641: "mixed content" URLs via an HTMLPurifier custom filter

behatnotneeded

Change-Id: I8c3b5facad985b997848f93a50398a397922f4af

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2019-04-04: A patch has been submitted for review

Patch for "19.04_STABLE" branch: https://reviews.mahara.org/9708

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2019-04-04: A change has been merged

Reviewed: https://reviews.mahara.org/9708
Committed: https://git.mahara.org/mahara/mahara/commit/81830c5edffeb1d9d21af72442d60e1c55eb74c6
Submitter: Robert Lyon (<email address hidden>)
Branch: 19.04_STABLE

commit 81830c5edffeb1d9d21af72442d60e1c55eb74c6
Author: Cecilia Vela Gurovic <email address hidden>
Date: Wed Mar 13 15:50:36 2019 +1300

Bug 1563641: "mixed content" URLs via an HTMLPurifier custom filter

behatnotneeded

Change-Id: I8c3b5facad985b997848f93a50398a397922f4af
(cherry picked from commit 49d1c1b9a75c07fccaa12bcb31ed34f5f0ec3f3a)

Robert Lyon (robertl-9) on 2019-04-04

Changed in mahara:
status:	In Progress → Fix Committed

Cecilia Vela Gurovic (ceciliavg) on 2019-04-30

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.