From 653c19c250d9e35b2ea33e86a51b7b28c1e4c975 Mon Sep 17 00:00:00 2001
From: redsummernight <redsummernight@users.noreply.github.com>
Date: Mon, 8 Jan 2024 02:10:29 -0500
Subject: [PATCH] AO3-6665 Check URL protocols of media src attributes (#4713)

---
 lib/otw_sanitize/media_sanitizer.rb           | 43 +++++++++++--------
 spec/lib/otw_sanitize/media_sanitizer_spec.rb | 13 +++++-
 2 files changed, 36 insertions(+), 20 deletions(-)

diff --git a/lib/otw_sanitize/media_sanitizer.rb b/lib/otw_sanitize/media_sanitizer.rb
index 23897d0b51c..b2e09bc4de9 100644
--- a/lib/otw_sanitize/media_sanitizer.rb
+++ b/lib/otw_sanitize/media_sanitizer.rb
@@ -22,31 +22,37 @@ class controls crossorigin dir height loop
         audio video source track
       ] + Sanitize::Config::ARCHIVE[:elements],
       attributes: {
-        'audio'  => AUDIO_ATTRIBUTES,
-        'video'  => VIDEO_ATTRIBUTES,
-        'source' => SOURCE_ATTRIBUTES,
-        'track'  => TRACK_ATTRIBUTES
+        "audio" => AUDIO_ATTRIBUTES,
+        "video" => VIDEO_ATTRIBUTES,
+        "source" => SOURCE_ATTRIBUTES,
+        "track" => TRACK_ATTRIBUTES
       },
       add_attributes: {
-        'audio' => {
-          'controls'    => 'controls',
-          'crossorigin' => 'anonymous',
-          'preload'     => 'metadata'
+        "audio" => {
+          "controls" => "controls",
+          "crossorigin" => "anonymous",
+          "preload" => "metadata"
         },
-        'video' => {
-          'controls'    => 'controls',
-          'playsinline' => 'playsinline',
-          'crossorigin' => 'anonymous',
-          'preload'     => 'metadata'
+        "video" => {
+          "controls" => "controls",
+          "playsinline" => "playsinline",
+          "crossorigin" => "anonymous",
+          "preload" => "metadata"
         }
       },
       protocols: {
-        'audio' => {
-          'src'    => %w[http https]
+        "audio" => {
+          "src" => %w[http https]
         },
-        'video' => {
-          'poster' => %w[http https],
-          'src'    => %w[http https]
+        "video" => {
+          "poster" => %w[http https],
+          "src" => %w[http https]
+        },
+        "source" => {
+          "src" => %w[http https]
+        },
+        "track" => {
+          "src" => %w[http https]
         }
       }
     }.freeze
@@ -102,6 +108,7 @@ def source_host
 
     def banned_source?
       return unless source_host
+
       ArchiveConfig.BANNED_MULTIMEDIA_SRCS.any? do |blocked|
         source_host.match(blocked)
       end
diff --git a/spec/lib/otw_sanitize/media_sanitizer_spec.rb b/spec/lib/otw_sanitize/media_sanitizer_spec.rb
index 8498120dd61..a871b737f7c 100644
--- a/spec/lib/otw_sanitize/media_sanitizer_spec.rb
+++ b/spec/lib/otw_sanitize/media_sanitizer_spec.rb
@@ -51,8 +51,8 @@
       it "allows source elements" do
         html = "
           <video controls width='250'>
-            <source src='example.com/flower.webm' type='video/webm'>
-            <source src='example.com/flower.mp4' type='video/mp4'>
+            <source src='http://example.com/flower.webm' type='video/webm'>
+            <source src='http://example.com/flower.mp4' type='video/mp4'>
             Sorry, your browser doesn't support embedded videos.
           </video>"
         content = Sanitize.fragment(html, config)
@@ -99,6 +99,15 @@
         expect(content).not_to match("javascript")
       end
 
+      %w[audio video source track].each do |element|
+        it "removes src on #{element} elements for unsupported protocols" do
+          html = "<#{element} src='file://flower.mp4'></#{element}>"
+          content = Sanitize.fragment(html, config)
+          expect(content).not_to match("src")
+          expect(content).not_to match("file://")
+        end
+      end
+
       context "given a blacklisted source" do
         before do
           ArchiveConfig.BANNED_MULTIMEDIA_SRCS = ["google.com"]