Denying external sources with the image proxy set to insecure only did not work

diff --git a/wcfsetup/install/files/lib/system/html/output/node/HtmlOutputNodeImg.class.php b/wcfsetup/install/files/lib/system/html/output/node/HtmlOutputNodeImg.class.php
index ea53c1bb39ddfc6dcb9099e9a92ed8f486cd9edf..7f55a826067495f196160b80897f063274e06f5c 100644 (file)
--- a/wcfsetup/install/files/lib/system/html/output/node/HtmlOutputNodeImg.class.php
+++ b/wcfsetup/install/files/lib/system/html/output/node/HtmlOutputNodeImg.class.php
@@ -84,6 +84,10 @@ class HtmlOutputNodeImg extends AbstractHtmlOutputNode {
                                        
                                        if (IMAGE_PROXY_INSECURE_ONLY && $urlComponents['scheme'] === 'https') {
                                                // proxy is enabled for insecure connections only
+                                               if (!IMAGE_ALLOW_EXTERNAL_SOURCE && !$this->isAllowedOrigin($src)) {
+                                                       $this->replaceExternalSource($element, $src);
+                                               }
+                                               
                                                continue;
                                        }
                                        
@@ -127,18 +131,7 @@ class HtmlOutputNodeImg extends AbstractHtmlOutputNode {
                                        }
                                }
                                else if (!IMAGE_ALLOW_EXTERNAL_SOURCE && !$this->isAllowedOrigin($src)) {
-                                       $element->parentNode->insertBefore($element->ownerDocument->createTextNode('[IMG:'), $element);
-                                       
-                                       $link = $element->ownerDocument->createElement('a');
-                                       $link->setAttribute('href', $src);
-                                       $link->textContent = $src;
-                                       HtmlOutputNodeA::markLinkAsExternal($link);
-                                       
-                                       $element->parentNode->insertBefore($link, $element);
-                                       
-                                       $element->parentNode->insertBefore($element->ownerDocument->createTextNode(']'), $element);
-                                       
-                                       $element->parentNode->removeChild($element);
+                                       $this->replaceExternalSource($element, $src);
                                }
                                else if (MESSAGE_FORCE_SECURE_IMAGES && Url::parse($src)['scheme'] === 'http') {
                                        // rewrite protocol to `https`
@@ -148,6 +141,27 @@ class HtmlOutputNodeImg extends AbstractHtmlOutputNode {
                }
        }
        
+       /**
+        * Replaces images embedded from external sources that are not handled by the image proxy.
+        * 
+        * @param       \DOMElement     $element
+        * @param       string          $src
+        */
+       protected function replaceExternalSource(\DOMElement $element, $src) {
+               $element->parentNode->insertBefore($element->ownerDocument->createTextNode('[IMG:'), $element);
+               
+               $link = $element->ownerDocument->createElement('a');
+               $link->setAttribute('href', $src);
+               $link->textContent = $src;
+               HtmlOutputNodeA::markLinkAsExternal($link);
+               
+               $element->parentNode->insertBefore($link, $element);
+               
+               $element->parentNode->insertBefore($element->ownerDocument->createTextNode(']'), $element);
+               
+               $element->parentNode->removeChild($element);
+       }
+       
        /**
         * Validates the domain name against the list of own domains
         * and whitelisted ones with wildcard support.