AO3-6719 Leave src URLs instead of emptiness for images stripped in AO3-6564

app/helpers/comments_helper.rb

@@ -47,6 +47,10 @@ def get_commenter_pseud_or_name(comment)
     end
   end
 
+  def image_safety_mode_cache_key(comment)
+    "image-safety-mode" if comment.use_image_safety_mode?
+  end
+
   ####
   ## Mar 4 2009 Enigel: the below shouldn't happen anymore, please test
   ####

app/models/comment.rb

@@ -495,7 +495,11 @@ def mark_unhidden!
   end
 
   def sanitized_content
-    sanitize_field(self, :comment_content, strip_images: ultimate_parent.is_a?(AdminPost))
+    sanitize_field(self, :comment_content, image_safety_mode: use_image_safety_mode?)
+  end
+
+  def use_image_safety_mode?
+    parent_type.in?(ArchiveConfig.PARENTS_WITH_IMAGE_SAFETY_MODE)
   end
   include Responder
 end

app/models/feedback_reporters/abuse_reporter.rb

@@ -32,6 +32,6 @@ def subject
   def ticket_description
     return "No comment submitted." if description.blank?
 
-    strip_images(description.html_safe)
+    strip_images(description.html_safe, keep_src: true)
   end
 end

app/models/feedback_reporters/support_reporter.rb

@@ -33,6 +33,6 @@ def subject
   def ticket_description
     return "No description submitted." if description.blank?
 
-    strip_images(description.html_safe)
+    strip_images(description.html_safe, keep_src: true)
   end
 end

app/views/admin/banners/_banner.html.erb

@@ -2,6 +2,6 @@
 <% # don't forget to update layouts/banner! %>
 <div class="<%= admin_banner.banner_type %> announcement group">
   <blockquote class="userstuff">
-    <%= raw sanitize_field(admin_banner, :content, strip_images: true) %>
+    <%= raw sanitize_field(admin_banner, :content, image_safety_mode: true) %>
   </blockquote>
 </div>

app/views/bookmarks/_bookmark_blurb_short.html.erb

@@ -31,7 +31,7 @@
   <% if bookmark.bookmarker_notes.present? %>
     <h6 class="landmark heading"><%= ts("Bookmark Notes:") %></h6>
     <blockquote class="userstuff summary">
-      <%= raw sanitize_field(bookmark, :bookmarker_notes, strip_images: true) %>
+      <%= raw sanitize_field(bookmark, :bookmarker_notes, image_safety_mode: true) %>
     </blockquote>
   <% end %>
   <!--actions-->

app/views/bookmarks/_bookmark_user_module.html.erb

@@ -48,7 +48,7 @@
     <% if bookmark.bookmarker_notes.present? %>
       <h6 class="landmark heading"><%= ts('Bookmarker\'s Notes') %></h6>
       <blockquote class="userstuff notes">
-        <%= raw sanitize_field(bookmark, :bookmarker_notes, strip_images: true) %>
+        <%= raw sanitize_field(bookmark, :bookmarker_notes, image_safety_mode: true) %>
       </blockquote>
     <% end %>
     <% # end of information added by the bookmark owner %>

app/views/comments/_single_comment.html.erb

@@ -37,7 +37,7 @@
           <%= time_in_zone(single_comment.created_at) %>
         </span>
       </h4>
-      <% cache([single_comment, single_comment.comment_owner, "body"], expires_in: 1.week) do %>
+      <% cache([single_comment, single_comment.comment_owner, "body", image_safety_mode_cache_key(single_comment)], expires_in: 1.week) do %>
         <div class="icon">
           <% if !single_comment.pseud.nil? %>
             <% if single_comment.by_anonymous_creator? %>
@@ -56,7 +56,7 @@
           <p class="notice"><%= ts("This comment has been hidden by an admin.") %></p>
         <% end %>
         <blockquote class="userstuff">
-          <%= raw sanitize_field(single_comment, :comment_content, strip_images: single_comment.ultimate_parent.is_a?(AdminPost)) %>
+          <%= raw sanitize_field(single_comment, :comment_content, image_safety_mode: single_comment.use_image_safety_mode?) %>
         </blockquote>
       <% end %>
       <% if single_comment.edited_at.present? %>

app/views/inbox/_inbox_comment_contents.html.erb

@@ -27,5 +27,5 @@
 </div>
 
 <blockquote class="userstuff">
-  <%= raw sanitize_field(feedback_comment, :comment_content, strip_images: feedback_comment.ultimate_parent.is_a?(AdminPost)) %>
+  <%= raw sanitize_field(feedback_comment, :comment_content, image_safety_mode: feedback_comment.use_image_safety_mode?) %>
 </blockquote>

app/views/layouts/_banner.html.erb

@@ -2,7 +2,7 @@
   <% unless session[:hide_banner] || current_user&.preference&.banner_seen %>
     <div class="<%= @admin_banner.banner_type %> announcement group" id="admin-banner">
       <blockquote class="userstuff">
-        <%= raw sanitize_field(@admin_banner, :content, strip_images: true) %>
+        <%= raw sanitize_field(@admin_banner, :content, image_safety_mode: true) %>
       </blockquote>
       <% if current_user.nil? %>
         <p class="submit">

app/views/pseuds/_pseud_module.html.erb

@@ -17,6 +17,6 @@
 </div>
 <% if pseud.description.present? %>
   <blockquote class="userstuff">
-    <%= raw sanitize_field(pseud, :description, strip_images: true) %>
+    <%= raw sanitize_field(pseud, :description, image_safety_mode: true) %>
   </blockquote>
 <% end %>

app/views/share/_embed_meta_bookmark.erb

@@ -5,6 +5,6 @@
 <% end %>
 <% if bookmark.bookmarker_notes.present? %>
 <%= ts("Bookmarker's Notes: ").html_safe %>
-<%= raw sanitize_field(bookmark, :bookmarker_notes, strip_images: true) %>
+<%= raw sanitize_field(bookmark, :bookmarker_notes, image_safety_mode: true) %>
 <% end %>
 <% end %>

app/views/user_mailer/abuse_report.html.erb

@@ -26,7 +26,7 @@
   </p>
 
   <p><%= style_work_metadata_label(t(".copy.comment")) %></p>
-  <p><%= style_quote(raw(strip_images(@comment))) %></p>
+  <p><%= style_quote(raw(strip_images(@comment, keep_src: true))) %></p>
 
   <p><%= t(".thank_you") %></p>
 

app/views/user_mailer/abuse_report.text.erb

@@ -20,7 +20,7 @@
 <%= to_plain_text(raw @summary) %>
 
 <%= work_metadata_label(t(".copy.comment")) %>
-<%= to_plain_text(raw @comment) %>
+<%= to_plain_text(raw(strip_images(@comment, keep_src: true))) %>
 
 <%= text_divider %>
 

app/views/user_mailer/feedback.html.erb

@@ -16,7 +16,7 @@
     form:
   </p>
 
-  <%= style_quote("<b>#{raw(strip_images(@summary))}</b> #{raw(strip_images(@comment))}") %>
+  <%= style_quote("<b>#{raw(strip_images(@summary))}</b> #{raw(strip_images(@comment, keep_src: true))}") %>
 
   <p>
     If you have additional questions or information, do not hesitate to send in

app/views/user_mailer/feedback.text.erb

@@ -14,7 +14,7 @@ information you submitted through the Technical Support and Feedback form:
 <%= text_divider %>
 
 * <%= to_plain_text(raw @summary) %> *
-<%= to_plain_text(raw @comment) %>
+<%= to_plain_text(raw(strip_images(@comment, keep_src: true))) %>
 
 <%= text_divider %>
 

config/config.yml

@@ -292,6 +292,12 @@ NONZERO_INTEGER_PARAMETERS:
   page: 1
   per_page: 25
 
+# Enable image safety mode when sanitizing comments on the following parents for
+# display. This is the parent_type of the comment, not the ultimate_parent,
+# so if you want to add extra sanitization to work comments, use Chapter here.
+# Options: AdminPost, Chapter, Tag.
+PARENTS_WITH_IMAGE_SAFETY_MODE: []
+
 # These fields are encrypted and should not have characters escaped or be treated as HTML
 FIELDS_WITHOUT_SANITIZATION: ["password", "password_check", "password_confirmation"]
 

features/comments_and_kudos/comments_adminposts.feature

@@ -135,14 +135,3 @@ Feature: Commenting on admin posts
     When I follow "Edit Post"
     Then I should see "No one can comment"
     # TODO: Test that the other options aren't available/selected in a non-brittle way
-
-  Scenario: Admin post comment does not display images
-    Given I have posted an admin post
-      And I am logged in as "regular"
-      And I go to the admin-posts page
-      And I follow "Default Admin Post"
-    When I fill in "Comment" with "Hi!<img src='http://example.com/icon.svg'>"
-      And I press "Comment"
-    Then I should see "Comment created!"
-      And I should not see the image "src" text "http://example.com/icon.svg"
-      And I should see "Hi!"

features/comments_and_kudos/image_safety_mode.feature

@@ -0,0 +1,62 @@
+Feature: Image safety mode
+  In order to protect users
+  As a site owner
+  I'd like to control which comments can include images
+
+  Scenario Outline: Images are embedded in comments when image safety mode is off.
+    Given the setup for testing image safety mode on <commentable>
+      And image safety mode is disabled for comments
+    When I view <commentable> with comments
+    Then I should see the image "src" text "https://example.com/image.jpg"
+      And I should not see "OMG! https://example.com/image.jpg"
+    When I go to the homepage
+    Then I should see the image "src" text "https://example.com/image.jpg"
+      And I should not see "OMG! https://example.com/image.jpg"
+    When I go to my inbox page
+    Then I should see the image "src" text "https://example.com/image.jpg"
+    When image safety mode is enabled for comments on a "<parent_type>"
+      And I view <commentable> with comments
+    Then I should not see the image "src" text "https://example.com/image.jpg"
+      But I should see "OMG! https://example.com/image.jpg"
+    When I go to the homepage
+    Then I should not see the image "src" text "https://example.com/image.jpg"
+      But I should see "OMG! https://example.com/image.jpg"
+    When I go to my inbox page
+    Then I should not see the image "src" text "https://example.com/image.jpg"
+      But I should see "OMG! https://example.com/image.jpg"
+
+    Examples:
+      | commentable                 | parent_type |
+      | the admin post "Change Log" | AdminPost   |
+      | the work "My Opus"          | Chapter     |
+      | the tag "No Fandom"         | Tag         |
+
+  Scenario Outline: Embedded images in comments are replaced with their URLs when image safety mode is enabled.
+    Given the setup for testing image safety mode on <commentable>
+      And image safety mode is enabled for comments on a "<parent_type>"
+    When I view <commentable> with comments
+    Then I should not see the image "src" text "https://example.com/image.jpg"
+      But I should see "OMG! https://example.com/image.jpg"
+    When I go to the homepage
+    Then I should not see the image "src" text "https://example.com/image.jpg"
+      But I should see "OMG! https://example.com/image.jpg"
+    When I go to my inbox page
+    Then I should not see the image "src" text "https://example.com/image.jpg"
+      But I should see "OMG! https://example.com/image.jpg"
+    When image safety mode is disabled for comments
+      And I view <commentable> with comments
+    Then I should see the image "src" text "https://example.com/image.jpg"
+      And I should not see "OMG! https://example.com/image.jpg"
+    When I go to the homepage
+    Then I should see the image "src" text "https://example.com/image.jpg"
+      And I should not see "OMG! https://example.com/image.jpg"
+    When I go to my inbox page
+    Then I should see the image "src" text "https://example.com/image.jpg"
+      And I should not see "OMG! https://example.com/image.jpg"
+
+    Examples:
+      | parent_type | commentable                 |
+      | AdminPost   | the admin post "Change Log" |
+      | Chapter     | the work "My Opus"          |
+      | Tag         | the tag "No Fandom"         |
+

features/comments_and_kudos/inbox.feature

@@ -159,12 +159,3 @@ Feature: Get messages in the inbox
       And I go to the homepage
     Then I should see "sewwiththeflo on Cat Thor's Bizarre Adventure"
       And I should see "Thank you! Please go to bed."
-
-  Scenario: Reply to a comment on an admin post that contains an image
-    Given I have posted an admin post
-      And a comment "My comment" by "sewwiththeflo" on the admin post "Default Admin Post"
-      And a reply "My reply <img src='foo.jpg' />" by "unbeatablesg" on the admin post "Default Admin Post"
-    When I am logged in as "sewwiththeflo"
-      And I go to the homepage
-    Then I should see "My reply"
-      And I should not see "<img src='foo.jpg' />"

features/other_a/abuse_report.feature

@@ -65,9 +65,13 @@ Feature: Filing an abuse report
   Given I am logged in as "otheruser"
     And basic languages
   When I follow "Policy Questions & Abuse Reports"
-    And I fill in "Description of the content you are reporting (required)" with "This is wrong"
-    And I fill in "Brief summary of Terms of Service violation (required)" with '<img src="foo.jpg" />Hi'
+    And I fill in "Brief summary of Terms of Service violation (required)" with '<img src="foo.jpg" />Gross'
+    And I fill in "Description of the content you are reporting (required)" with "This is wrong <img src='bar.jpeg' />"
     And I fill in "Link to the page you are reporting (required)" with "http://www.archiveofourown.org/works"
     And I press "Submit"
   Then 1 email should be delivered
-    And the email should not contain "<img src="foo.jpg" />"
+    # The sanitizer adds the domain in front of relative image URLs as of AO3-6571
+    And the email should not contain "<img src="http://www.example.org/foo.jpg" />"
+    And the email should not contain "<img src="http://www.example.org/bar.jpeg" />"
+    But the email should contain "Gross"
+    And the email should contain "This is wrong http://www.example.org/bar.jpeg"

features/other_b/support.feature

@@ -56,4 +56,6 @@ Feature: Filing a support request
     And I fill in "Your question or problem" with '<img src="foo.jpg" />Hi'
     And I press "Send"
   Then 1 email should be delivered
-    And the email should not contain "<img src="foo.jpg" />"
+    # The sanitizer adds the domain in front of relative image URLs as of AO3-6571
+    And the email should not contain "<img src="http://www.example.org/foo.jpg" />"
+    But the email should contain "http://www.example.org/foo.jpgHi"

features/step_definitions/comment_steps.rb

@@ -58,6 +58,33 @@
                     comment_content: text)
 end
 
+Given "image safety mode is enabled for comments on a {string}" do |parent_type|
+  allow(ArchiveConfig).to receive(:PARENTS_WITH_IMAGE_SAFETY_MODE).and_return(parent_type)
+end
+
+Given "image safety mode is disabled for comments" do
+  allow(ArchiveConfig).to receive(:PARENTS_WITH_IMAGE_SAFETY_MODE).and_return([])
+end
+
+Given "the setup for testing image safety mode on the admin post {string}" do |title|
+  step %{the admin post "#{title}"}
+  step %{a comment "plain text" by "commentrecip" on the admin post "#{title}"}
+  step %{a reply 'OMG! <img src="https://example.com/image.jpg">' by "commenter" on the admin post "#{title}"}
+  step %{I am logged in as "commentrecip"}
+end
+
+Given "the setup for testing image safety mode on the tag {string}" do |name|
+  step %{the tag wrangler "commentrecip" with password "password" is wrangler of "No Fandom"}
+  step %{a comment 'OMG! <img src="https://example.com/image.jpg">' by "commenter" on the tag "#{name}"}
+  step %{I am logged in as "commentrecip"}
+end
+
+Given "the setup for testing image safety mode on the work {string}" do |title|
+  step %{the work "#{title}" by "commentrecip"}
+  step %{a comment 'OMG! <img src="https://example.com/image.jpg">' by "commenter" on the work "#{title}"}
+  step %{I am logged in as "commentrecip"}
+end
+
 # THEN
 
 Then /^the comment's posted date should be nowish$/ do

lib/html_cleaner.rb

@@ -2,7 +2,9 @@
 module HtmlCleaner
   # If we aren't sure that this field hasn't been sanitized since the last sanitizer version,
   # we sanitize it before we allow it to pass through (and save it if possible).
-  def sanitize_field(object, fieldname, strip_images: false)
+  # For certain highly visible fields, we might want to be cautious about
+  # images. Use image_safety_mode: true to prevent images from embedding as-is.
+  def sanitize_field(object, fieldname, image_safety_mode: false)
     return "" if object.send(fieldname).nil?
 
     sanitizer_version = object.try("#{fieldname}_sanitizer_version")
@@ -15,7 +17,7 @@ def sanitize_field(object, fieldname, strip_images: false)
         sanitize_value(fieldname, object.send(fieldname))
       end
 
-    sanitized_field = strip_images(sanitized_field) if strip_images
+    sanitized_field = strip_images(sanitized_field, keep_src: true) if image_safety_mode
     sanitized_field
   end
 
@@ -144,9 +146,13 @@ def add_paragraphs_to_text(text)
   # These assume they are running on well-formed XHTML, which we can do
   # because they will only be used on already-cleaned fields.
 
-  # strip img tags
-  def strip_images(value)
-    value.gsub(/<img .*?>/, '')
+  # strip img tags, optionally leaving the src URL exposed
+  def strip_images(value, keep_src: false)
+    value.gsub(/(<img .*?>)/) do |img_tag|
+      match_data = img_tag.match(/src="([^"]+)"/) if keep_src
+      src = match_data[1] if match_data
+      src || ""
+    end
   end
 
   def strip_html_breaks_simple(value)