From f1af2813d3c0fda64ca6c97b422af5ca0c70e98f Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Wed, 16 Mar 2016 22:48:13 +0000 Subject: [PATCH] Media: When generating the base URL to be used in the `srcset` attribute, use an `https` scheme when the image base URL's host matches that of the current host, and the request is being served over HTTPS. This prevents mixed content warnings caused by `http` embedded media. See #34945 Props joemcgill git-svn-id: https://develop.svn.wordpress.org/trunk@37022 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/media.php | 8 +++++++ tests/phpunit/tests/media.php | 41 +++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/src/wp-includes/media.php b/src/wp-includes/media.php index ef6baa7bc2..1c8387b141 100644 --- a/src/wp-includes/media.php +++ b/src/wp-includes/media.php @@ -1027,6 +1027,14 @@ function wp_calculate_image_srcset( $size_array, $image_src, $image_meta, $attac $upload_dir = wp_get_upload_dir(); $image_baseurl = trailingslashit( $upload_dir['baseurl'] ) . $dirname; + /* + * If currently on HTTPS, prefer HTTPS URLs when we know they're supported by the domain + * (which is to say, when they share the domain name of the current request). + */ + if ( is_ssl() && 'https' !== substr( $image_baseurl, 0, 5 ) && parse_url( $image_baseurl, PHP_URL_HOST ) === $_SERVER['HTTP_HOST'] ) { + $image_baseurl = set_url_scheme( $image_baseurl, 'https' ); + } + /* * Images that have been edited in WordPress after being uploaded will * contain a unique hash. Look for that hash and use it later to filter diff --git a/tests/phpunit/tests/media.php b/tests/phpunit/tests/media.php index 5b68f327e3..a58360ac45 100644 --- a/tests/phpunit/tests/media.php +++ b/tests/phpunit/tests/media.php @@ -1479,6 +1479,47 @@ EOF; $expected = sprintf( $content, $respimg, $respimg_https, $respimg_relative ); $actual = wp_make_content_images_responsive( $unfiltered ); + $this->assertSame( $expected, $actual ); +} + + /** + * @ticket 34945 + * @ticket 33641 + */ + function test_wp_get_attachment_image_with_https_on() { + // Mock meta for the image. + $image_meta = array( + 'width' => 1200, + 'height' => 600, + 'file' => 'test.jpg', + 'sizes' => array( + 'thumbnail' => array( + 'file' => 'test-150x150.jpg', + 'width' => 150, + 'height' => 150, + ), + 'medium' => array( + 'file' => 'test-300x150.jpg', + 'width' => 300, + 'height' => 150, + ), + 'large' => array( + 'file' => 'test-1024x512.jpg', + 'width' => 1024, + 'height' => 512, + ), + ) + ); + + // Test using the large file size. + $size_array = array( 1024, 512 ); + $image_url = 'http://' . WP_TESTS_DOMAIN . '/wp-content/uploads/' . $image_meta['sizes']['large']['file']; + + $_SERVER['HTTPS'] = 'on'; + + $expected = 'https://' . WP_TESTS_DOMAIN . '/wp-content/uploads/test-300x150.jpg 300w, https://' . WP_TESTS_DOMAIN . '/wp-content/uploads/test-1024x512.jpg 1024w, https://' . WP_TESTS_DOMAIN . '/wp-content/uploads/test.jpg 1200w'; + $actual = wp_calculate_image_srcset( $size_array, $image_url, $image_meta ); + $this->assertSame( $expected, $actual ); } }