Merge pull request #1011 from owncloud/image-blocking

Image blocking

lib/service/html.php

@@ -23,6 +23,7 @@ use OCA\Mail\Service\HtmlPurify\TransformImageSrc;
 use OCA\Mail\Service\HtmlPurify\TransformNoReferrer;
 use OCA\Mail\Service\HtmlPurify\TransformURLScheme;
 use OCP\IURLGenerator;
+use OCP\Util;
 
 class Html {
 
@@ -48,6 +49,7 @@ class Html {
 
 		// allow cid, http and ftp
 		$config->set('URI.AllowedSchemes', ['http' => true, 'https' => true, 'ftp' => true, 'mailto' => true]);
+		$config->set('URI.Host', Util::getServerHostName());
 
 		// Disable the cache since ownCloud has no really appcache
 		// TODO: Fix this - requires https://github.com/owncloud/core/issues/10767 to be fixed
@@ -90,6 +92,7 @@ class Html {
 
 		// allow cid, http and ftp
 		$config->set('URI.AllowedSchemes', ['cid' => true, 'http' => true, 'https' => true, 'ftp' => true, 'mailto' => true]);
+		$config->set('URI.Host', Util::getServerHostName());
 
 		// Disable the cache since ownCloud has no really appcache
 		// TODO: Fix this - requires https://github.com/owncloud/core/issues/10767 to be fixed
@@ -97,7 +100,7 @@ class Html {
 
 		// Rewrite URL for redirection and proxying of content
 		$html = $config->getDefinition('HTML');
-		$html->info_attr_transform_post['imagesrc'] = new TransformImageSrc();
+		$html->info_attr_transform_post['imagesrc'] = new TransformImageSrc($this->urlGenerator);
 
 		$uri = $config->getDefinition('URI');
 		$uri->addFilter(new TransformURLScheme($messageParameters, $mapCidToAttachmentId, $this->urlGenerator), $config);

lib/service/htmlpurify/transformimagesrc.php

@@ -4,12 +4,29 @@ namespace OCA\Mail\Service\HtmlPurify;
 use HTMLPurifier_AttrTransform;
 use HTMLPurifier_Config;
 use HTMLPurifier_Context;
+use HTMLPurifier_URI;
+use HTMLPurifier_URIFilter;
+use HTMLPurifier_URIParser;
+use OCP\IURLGenerator;
 use OCP\Util;
 
 /**
  * Adds copies src to data-src on all img tags.
  */
 class TransformImageSrc extends HTMLPurifier_AttrTransform {
+	/**
+	* @type HTMLPurifier_URIParser
+	*/
+	private $parser;
+
+	/** @var IURLGenerator */
+	private $urlGenerator;
+
+	public function __construct(IURLGenerator $urlGenerator) {
+		$this->parser = new HTMLPurifier_URIParser();
+		$this->urlGenerator = $urlGenerator;
+	}
+
 	/**
 	 * @param array $attr
 	 * @param HTMLPurifier_Config $config
@@ -17,13 +34,25 @@ class TransformImageSrc extends HTMLPurifier_AttrTransform {
 	 * @return array
 	 */
 	public function transform($attr, $config, $context) {
-		if ( $context->get('CurrentToken')->name !== 'img' ||
+		if ($context->get('CurrentToken')->name !== 'img' ||
 			!isset($attr['src'])) {
 			return $attr;
 		}
 
-		$attr['data-original-src'] = $attr['src'];
-		$attr['src'] = Util::imagePath('mail', 'blocked-image.png');
+		// Block tracking pixels
+		if (isset($attr['width']) && isset($attr['height']) &&
+			(int)$attr['width'] < 5 && (int)$attr['height'] < 5){
+			// Replace with a transparent png in case it's important for the layout
+			$attr['src'] = 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABmJLR0QA/wD/AP+gvaeTAAAADUlEQVQI12NgYGBgAAAABQABXvMqOgAAAABJRU5ErkJggg==';
+			return $attr;
+		}
+
+		// Do not block images attached to the email
+		$url = $this->parser->parse($attr['src']);
+		if ($url->host === Util::getServerHostName() && $url->path === $this->urlGenerator->linkToRoute('mail.proxy.proxy')) {
+			$attr['data-original-src'] = $attr['src'];
+			$attr['src'] = Util::imagePath('mail', 'blocked-image.png');
+		}
 		return $attr;
 	}
 }