Force HTTPS on video and source src attribute.

This commit forces HTTPS on the `src` attribute. For each child node, it sets the new filtered `src` attribute. Fixes #976.
ampproject · Jul 19, 2018 · 56dc958 · 56dc958
1 parent 024e450
commit 56dc958
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/includes/sanitizers/class-amp-video-sanitizer.php b/includes/sanitizers/class-amp-video-sanitizer.php
@@ -47,6 +47,7 @@ public function get_selector_conversion_mapping() {
 	 * Sanitize the <video> elements from the HTML contained in this instance's DOMDocument.
 	 *
 	 * @since 0.2
+	 * @since 1.0 Set the filtered child node's src attribute.
 	 */
 	public function sanitize() {
 		$nodes     = $this->dom->getElementsByTagName( self::$tag );
@@ -95,11 +96,14 @@ public function sanitize() {
 					continue;
 				}
 
+				if ( $old_child_attributes['src'] !== $new_child_attributes['src'] ) {
+					$new_child_node->setAttribute( 'src', $new_child_attributes['src'] );
+				}
+
 				/**
 				 * Only append source tags with a valid src attribute
 				 */
 				$new_node->appendChild( $new_child_node );
-
 			}
 
 			/*
@@ -158,6 +162,7 @@ protected function filter_video_dimensions( $new_attributes ) {
 	 * "Filter" HTML attributes for <amp-audio> elements.
 	 *
 	 * @since 0.2
+	 * @since 1.0 Force src HTTPS.
 	 *
 	 * @param string[] $attributes {
 	 *      Attributes.
@@ -180,7 +185,7 @@ private function filter_attributes( $attributes ) {
 		foreach ( $attributes as $name => $value ) {
 			switch ( $name ) {
 				case 'src':
-					$out[ $name ] = $this->maybe_enforce_https_src( $value );
+					$out[ $name ] = $this->maybe_enforce_https_src( $value, true );
 					break;
 
 				case 'width':

diff --git a/tests/test-amp-video-sanitizer.php b/tests/test-amp-video-sanitizer.php
@@ -90,7 +90,15 @@ public function get_data() {
 
 			'https_not_required' => array(
 				'<video width="300" height="300" src="http://example.com/video.mp4"></video>',
-				'<amp-video width="300" height="300" src="http://example.com/video.mp4" layout="responsive"></amp-video>',
+				'<amp-video width="300" height="300" src="https://example.com/video.mp4" layout="responsive"></amp-video>',
+			),
+
+			'http_video_with_children' => array(
+				'<video width="480" height="300" poster="https://example.com/video-image.gif">
+	<source src="http://example.com/video.mp4" type="video/mp4">
+	<source src="http://example.com/video.ogv" type="video/ogg">
+</video>',
+				'<amp-video width="480" height="300" poster="https://example.com/video-image.gif" layout="responsive"><source src="https://example.com/video.mp4" type="video/mp4"><source src="https://example.com/video.ogv" type="video/ogg"></amp-video>',
 			),
 		);
 	}