mahara-contributors team mailing list archive

[Robert Lyon <robertl@xxxxxxxxxxxxxxx>]

** Changed in: mahara
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1563641

Title:
  Rewrite "mixed content" URLs via an HTMLPurifier custom filter

Status in Mahara:
  Fix Committed

Bug description:
  "Mixed content" refers to the scenario where a web page is served via
  HTTPS, but it includes assets that are served via an HTTP URL. See
  https://developer.mozilla.org/en-US/docs/Security/Mixed_content for
  some discussion of this.

  In Bug 1463629 we fixed this issue for embedded iframes, by patching
  the HTMLPurifier core class HTMLPurifier_URIFilter_SafeIframe so that,
  in addition to filtering iframes for an allowed set of URLs, it also
  transformed them from HTTPS to HTTP if needed.

  After having recently done some work on HTMLPurifier for other bugs,
  and becoming more familiar with their API, it now becomes apparent to
  me that this was a bit of a hack (patching core code should have told
  me this anyway). What we should have done is, instead, write up a new
  custom URIFilter specifically for rewriting URI's from HTTP to HTTPS
  in this way, and used that instead.

  Doing it that way will make future HTMLPurifier upgrades easier, by
  eliminating the need to patch that file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1563641/+subscriptions