[#16440] - Remove $baseurl from mod_banners. External image url fails.
- Success continuous-integration/drone/pr the build was successful Details
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
- Success continuous-integration/appveyor/pr AppVeyor build succeeded Details
- Success JTracker/HumanTestResults Human Test Results: 2 Successful 0 Failed. Details
User tests: Successful: Unsuccessful:
Summary of Changes
Removed all $baserurl from image src.
Testing Instructions
- Current staging with testing data.
- Go to Banners manager > Banners.
- Deactivate all banners but
Shop 1. - Open banner Shop1 and enter an existing(!) external
Image Urlin fieldimagevia media manager. (something likehttp://example.org/someimage.jpg) - Save.
- Go to Module Manager.
- Open banner module
Book Store. - Set position
banner. - Save module.
- Go to frontend. You'll see that image is not displayed.
- Apply patch
- Reload frontent. You see the image now.
- Test now with an internal
Image URLthat nothing has changed and internal image is displayed, too.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Modules Front End |
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16440.
| Status | Pending | ⇒ | Ready to Commit |
RTC after two successful tests.
I think it is saver to check if image url starts with http and than not add the base url
Go into an article, click TinyMCE image button. Enter bload://pumps.jpg as URL. Click insert.
Nothing is checking if its http or whatever.
Try the same with Intro Image...
Check the result in FE.
<img src="bload://pumps.jpg" alt="">
So why should I code now in this PR a check for the protocol? Do we really need restrictions like that for the users? If they don't see the image in FE I think they know that they did something wrong.
The reason for my suggestion is b/c, whatever we change we should always try to implement it in a way that it is as close as possible to the past behaviour.
My change is fully B\C. Nothing changes for internal URLs. As I said it's the same bahavior like anywhere in Joomla. The consequence of what you say is that Joomla is unsafe at several places. The media manager is unsafe? So, the issue should be fixed there.
The typical way for banner placement is. You get an affiliate link and an external image link. It must be possible to paste both in the banner item without any further efforts like downloading images.
Close here if you think that I really opened a security issue.
it is my job to better save than sorry, btw. I haven't said something about security
| Labels |
Added:
?
|
||
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-06-20 09:09:17 |
| Closed_By | ⇒ | rdeutz |
I have tested this item✅ successfully on 83cc1bf
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16440.