From a8823997fbcd326baa8fafbccfc386ff01c14c4d Mon Sep 17 00:00:00 2001 From: Carl-Eric Menzel Date: Mon, 28 Nov 2016 14:27:40 +0100 Subject: [PATCH] WICKET-6290 fix CssUrlReplacer so it does not mangle data URIs --- .../org/apache/wicket/resource/CssUrlReplacer.java | 7 +++++++ .../apache/wicket/resource/CssUrlReplacerTest.java | 14 ++++++++++++-- .../main/java/org/apache/wicket/request/Url.java | 11 +++++++++++ 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/wicket-core/src/main/java/org/apache/wicket/resource/CssUrlReplacer.java b/wicket-core/src/main/java/org/apache/wicket/resource/CssUrlReplacer.java index ab0f45f6459..a19fe2e354e 100644 --- a/wicket-core/src/main/java/org/apache/wicket/resource/CssUrlReplacer.java +++ b/wicket-core/src/main/java/org/apache/wicket/resource/CssUrlReplacer.java @@ -108,6 +108,11 @@ else if (imageCandidateUrl.isContextAbsolute()) { processedUrl = imageCandidateUrl.toString(); } + else if (imageCandidateUrl.isDataUrl()) + { + embedded = true; + processedUrl = imageCandidateUrl.toString(); + } else { // relativize against the url for the containing CSS file @@ -139,6 +144,8 @@ else if (imageCandidateUrl.isContextAbsolute()) } } + + // embedded data urls don't need single quotes, but regular urls do: matcher.appendReplacement(output, embedded ? "url(" + processedUrl + ")" : "url('" + processedUrl + "')"); } diff --git a/wicket-core/src/test/java/org/apache/wicket/resource/CssUrlReplacerTest.java b/wicket-core/src/test/java/org/apache/wicket/resource/CssUrlReplacerTest.java index 5503e4cd438..5681eaa7904 100644 --- a/wicket-core/src/test/java/org/apache/wicket/resource/CssUrlReplacerTest.java +++ b/wicket-core/src/test/java/org/apache/wicket/resource/CssUrlReplacerTest.java @@ -35,8 +35,6 @@ import org.junit.Before; import org.junit.Test; -import java.util.Locale; - public class CssUrlReplacerTest extends WicketTestCase { @@ -91,6 +89,18 @@ public void doNotProcessFullUrls() assertThat(processed, is(input)); } + @Test + public void doNotProcessDataUrls_WICKET_6290() + { + String input = ".class {background-image: url(data:image/gif;base64,R0lGODlhEAAQAMQAAORHH);}"; + Class scope = CssUrlReplacerTest.class; + String cssRelativePath = "res/css/some.css"; + CssUrlReplacer replacer = new CssUrlReplacer(); + + String processed = replacer.process(input, scope, cssRelativePath); + assertThat(processed, is(input)); + } + @Test public void doNotProcessContextAbsoluteUrls() { diff --git a/wicket-request/src/main/java/org/apache/wicket/request/Url.java b/wicket-request/src/main/java/org/apache/wicket/request/Url.java index be496404999..4a078df640c 100755 --- a/wicket-request/src/main/java/org/apache/wicket/request/Url.java +++ b/wicket-request/src/main/java/org/apache/wicket/request/Url.java @@ -492,6 +492,17 @@ public boolean isContextAbsolute() return !isFull() && !getSegments().isEmpty() && Strings.isEmpty(getSegments().get(0)); } + /** + * Returns whether the Url is a CSS data uri. Data uris start with '{@literal data:}'. + * + * @return true if Url starts with 'data:', false otherwise. + */ + public boolean isDataUrl() + { + return (getProtocol() != null && getProtocol().equals("data")) || (!getSegments().isEmpty() && getSegments() + .get(0).startsWith("data")); + } + /** * Returns whether the Url has a host attribute. * The scheme is optional because the url may be //host/path.