MAGETWO-90177: Image broken on storefront with secure key enabled

danmooney2 · danmooney2 · commit ba0143b103c3 · 2018-05-04T13:17:13.000-05:00
Fix regex matching if directive url contains ?SID=... query string
diff --git a/app/code/Magento/Tinymce3/view/base/web/tinymce3Adapter.js b/app/code/Magento/Tinymce3/view/base/web/tinymce3Adapter.js
@@ -539,9 +539,15 @@ define([
          * @return {*}
          */
         decodeDirectives: function (content) {
-            // escape special chars in directives url to use it in regular expression
-            var url = this.makeDirectiveUrl('%directive%').replace(/([$^.?*!+:=()\[\]{}|\\])/g, '\\$1'),
-                reg = new RegExp(url.replace('%directive%', '([a-zA-Z0-9,_-]+(?:%2[A-Z]|)+\/?)(?:(?!").)*') + '/?');
+            var directiveUrl = this.makeDirectiveUrl('%directive%').split('?')[0], // remove query string from directive
+                // escape special chars in directives url to use in regular expression
+                regexEscapedDirectiveUrl = directiveUrl.replace(/([$^.?*!+:=()\[\]{}|\\])/g, '\\$1'),
+                regexDirectiveUrl = regexEscapedDirectiveUrl
+                    .replace(
+                        '%directive%',
+                        '([a-zA-Z0-9,_-]+(?:%2[A-Z]|)+\/?)(?:(?!").)*'
+                    ) + '/?(\\\\?[^"]*)?', // allow optional query string
+                reg = new RegExp(regexDirectiveUrl);
 
             return content.gsub(reg, function (match) {
                 return Base64.mageDecode(decodeURIComponent(match[1]).replace(/\/$/, '')).replace(/"/g, '&quot;');
diff --git a/dev/tests/js/jasmine/tests/lib/mage/wysiwygAdapter.test.js b/dev/tests/js/jasmine/tests/lib/mage/wysiwygAdapter.test.js
@@ -27,7 +27,7 @@ define([
     describe('wysiwygAdapter', function () {
         describe('encoding and decoding directives', function () {
             function runTests(decodedHtml, encodedHtml) {
-                var encodedHtmlWithForwardSlashInImgSrc = encodedHtml.replace('src="([^"]+)', 'src="$1/"');
+                var encodedHtmlWithForwardSlashInImgSrc = encodedHtml.replace(/src="((?:(?!"|\\\?).)*)/, 'src="$1/');
 
                 describe('"encodeDirectives" method', function () {
                     it('converts media directive img src to directive URL', function () {
@@ -47,48 +47,93 @@ define([
                     it('converts directive URL img src with a trailing forward slash ' +
                         'to media url without a trailing forward slash',
                         function () {
+                            expect(encodedHtmlWithForwardSlashInImgSrc).not.toEqual(encodedHtml);
                             expect(obj.decodeDirectives(encodedHtmlWithForwardSlashInImgSrc)).toEqual(decodedHtml);
                         }
                     );
                 });
             }
 
-            describe('without secret key', function () {
-                var decodedHtml = '<p>' +
-                    '<img src="{{media url=&quot;wysiwyg/banana.jpg&quot;}}" alt="" width="612" height="459"></p>',
-                    encodedHtml = '<p>' +
-                    '<img src="http://example.com/admin/cms/wysiwyg/directive/___directive' +
-                    '/e3ttZWRpYSB1cmw9Ind5c2l3eWcvYmFuYW5hLmpwZyJ9fQ%2C%2C" alt="" width="612" height="459">' +
-                    '</p>';
-
-                beforeEach(function () {
-                    obj.initialize('id', {
-                        'directives_url': 'http://example.com/admin/cms/wysiwyg/directive/'
+            describe('without SID in directive query string', function () {
+                describe('without secret key', function () {
+                    var decodedHtml = '<p>' +
+                        '<img src="{{media url=&quot;wysiwyg/banana.jpg&quot;}}" alt="" width="612" height="459"></p>',
+                        encodedHtml = '<p>' +
+                        '<img src="http://example.com/admin/cms/wysiwyg/directive/___directive' +
+                        '/e3ttZWRpYSB1cmw9Ind5c2l3eWcvYmFuYW5hLmpwZyJ9fQ%2C%2C" alt="" width="612" height="459">' +
+                        '</p>';
+
+                    beforeEach(function () {
+                        obj.initialize('id', {
+                            'directives_url': 'http://example.com/admin/cms/wysiwyg/directive/'
+                        });
                     });
+
+                    runTests(decodedHtml, encodedHtml);
                 });
 
-                runTests(decodedHtml, encodedHtml);
+                describe('with secret key', function () {
+                    var decodedHtml = '<p>' +
+                        '<img src="{{media url=&quot;wysiwyg/banana.jpg&quot;}}" alt="" width="612" height="459"></p>',
+                        encodedHtml = '<p>' +
+                        '<img src="http://example.com/admin/cms/wysiwyg/directive/___directive' +
+                        '/e3ttZWRpYSB1cmw9Ind5c2l3eWcvYmFuYW5hLmpwZyJ9fQ%2C%2C/key/' +
+                        '5552655d13a141099d27f5d5b0c58869423fd265687167da12cad2bb39aa9a58" ' +
+                        'alt="" width="612" height="459">' +
+                        '</p>',
+                        directiveUrl = 'http://example.com/admin/cms/wysiwyg/directive/key/' +
+                        '5552655d13a141099d27f5d5b0c58869423fd265687167da12cad2bb39aa9a58/';
+
+                    beforeEach(function () {
+                        obj.initialize('id', {
+                            'directives_url': directiveUrl
+                        });
+                    });
+
+                    runTests(decodedHtml, encodedHtml);
+                });
             });
 
-            describe('with secret key', function () {
-                var decodedHtml = '<p>' +
-                    '<img src="{{media url=&quot;wysiwyg/banana.jpg&quot;}}" alt="" width="612" height="459"></p>',
-                    encodedHtml = '<p>' +
-                    '<img src="http://example.com/admin/cms/wysiwyg/directive/___directive' +
-                    '/e3ttZWRpYSB1cmw9Ind5c2l3eWcvYmFuYW5hLmpwZyJ9fQ%2C%2C/key/' +
-                    '5552655d13a141099d27f5d5b0c58869423fd265687167da12cad2bb39aa9a58" ' +
-                    'alt="" width="612" height="459">' +
-                    '</p>',
-                    directiveUrl = 'http://example.com/admin/cms/wysiwyg/directive/key/' +
-                    '5552655d13a141099d27f5d5b0c58869423fd265687167da12cad2bb39aa9a58/';
-
-                beforeEach(function () {
-                    obj.initialize('id', {
-                        'directives_url': directiveUrl
+            describe('with SID in directive query string', function () {
+                describe('without secret key', function () {
+                    var decodedHtml = '<p>' +
+                        '<img src="{{media url=&quot;wysiwyg/banana.jpg&quot;}}" alt="" width="612" height="459"></p>',
+                        encodedHtml = '<p>' +
+                        '<img src="http://example.com/admin/cms/wysiwyg/directive/___directive' +
+                        '/e3ttZWRpYSB1cmw9Ind5c2l3eWcvYmFuYW5hLmpwZyJ9fQ%2C%2C?SID=something" ' +
+                        'alt="" width="612" height="459">' +
+                        '</p>',
+                        directiveUrl = 'http://example.com/admin/cms/wysiwyg/directive?SID=something';
+
+                    beforeEach(function () {
+                        obj.initialize('id', {
+                            'directives_url': directiveUrl
+                        });
                     });
+
+                    runTests(decodedHtml, encodedHtml);
                 });
 
-                runTests(decodedHtml, encodedHtml);
+                describe('with secret key', function () {
+                    var decodedHtml = '<p>' +
+                        '<img src="{{media url=&quot;wysiwyg/banana.jpg&quot;}}" alt="" width="612" height="459"></p>',
+                        encodedHtml = '<p>' +
+                        '<img src="http://example.com/admin/cms/wysiwyg/directive/___directive' +
+                        '/e3ttZWRpYSB1cmw9Ind5c2l3eWcvYmFuYW5hLmpwZyJ9fQ%2C%2C/key/' +
+                        '5552655d13a141099d27f5d5b0c58869423fd265687167da12cad2bb39aa9a58?SID=something" ' +
+                        'alt="" width="612" height="459">' +
+                        '</p>',
+                        directiveUrl = 'http://example.com/admin/cms/wysiwyg/directive/key/' +
+                        '5552655d13a141099d27f5d5b0c58869423fd265687167da12cad2bb39aa9a58?SID=something';
+
+                    beforeEach(function () {
+                        obj.initialize('id', {
+                            'directives_url': directiveUrl
+                        });
+                    });
+
+                    runTests(decodedHtml, encodedHtml);
+                });
             });
         });
     });
diff --git a/lib/web/mage/adminhtml/wysiwyg/tiny_mce/tinymce4Adapter.js b/lib/web/mage/adminhtml/wysiwyg/tiny_mce/tinymce4Adapter.js
@@ -608,9 +608,15 @@ define([
          * @return {*}
          */
         decodeDirectives: function (content) {
-            // escape special chars in directives url to use it in regular expression
-            var url = this.makeDirectiveUrl('%directive%').replace(/([$^.?*!+:=()\[\]{}|\\])/g, '\\$1'),
-                reg = new RegExp(url.replace('%directive%', '([a-zA-Z0-9,_-]+(?:%2[A-Z]|)+\/?)(?:(?!").)*') + '/?');
+            var directiveUrl = this.makeDirectiveUrl('%directive%').split('?')[0], // remove query string from directive
+                // escape special chars in directives url to use in regular expression
+                regexEscapedDirectiveUrl = directiveUrl.replace(/([$^.?*!+:=()\[\]{}|\\])/g, '\\$1'),
+                regexDirectiveUrl = regexEscapedDirectiveUrl
+                    .replace(
+                        '%directive%',
+                        '([a-zA-Z0-9,_-]+(?:%2[A-Z]|)+\/?)(?:(?!").)*'
+                    ) + '/?(\\\\?[^"]*)?', // allow optional query string
+                reg = new RegExp(regexDirectiveUrl);
 
             return content.gsub(reg, function (match) {
                 return Base64.mageDecode(decodeURIComponent(match[1]).replace(/\/$/, '')).replace(/"/g, '&quot;');
