[wp-trac] [WordPress Trac] #19023: Images in Edit Comments break SSL

WordPress Trac wp-trac at lists.automattic.com
Wed Nov 2 20:11:02 UTC 2011


#19023: Images in Edit Comments break SSL
----------------------------+------------------------------
 Reporter:  joostdevalk     |       Owner:  nacin
     Type:  defect (bug)    |      Status:  reviewing
 Priority:  high            |   Milestone:  Awaiting Review
Component:  Administration  |     Version:  3.3
 Severity:  normal          |  Resolution:
 Keywords:                  |
----------------------------+------------------------------
Changes (by marfarma):

 * cc: pauli.price@… (added)


Comment:

 As the author of #15928:comment:5 I'd like to add my support for a
 set_url_scheme(), the eventual creation of a separate admin-side template
 function that obeys is_ssl(), as well as  other ssl only admin-side
 related fixes.

 I'd also like to see plugin checks, like the existing theme checks, that
 warn plugin authors that using get_option('siteurl') instead of site_url()
 is probably a bad idea.  And that the use of the constants like
 WP_PLUGIN_URL instead of the appropriate functions is definitely bad.  I
 can't tell you how often I've see it - even in recently updated and
 otherwise exemplary code.

 [let me know how I can help]

 At the moment, in order to eliminate mixed-content warnings in IE, I've
 had to hack several plugins that used constants to enqueue files.  I'm
 also filtering the following as a 'blanket fix' for things that use
 get_option instead of functions to build uri's (i.e.
 wp_get_attachment_url) to server site assets admin-side.

 {{{
 add_filter('option_siteurl', 'fix_ssl_siteurl');
 add_filter('option_home', 'fix_ssl_siteurl');
 add_filter('option_url', 'fix_ssl_siteurl');
 add_filter('option_wpurl', 'fix_ssl_siteurl');
 add_filter('option_stylesheet_url', 'fix_ssl_siteurl');
 add_filter('option_template_url', 'fix_ssl_siteurl');
 }}}

 This creates the issue I described, where media is inserted into posts
 with https uri's, and will be a problem in cases where filtering those
 values is undesirable (i.e. the pretty links lite plugin).

 I'm about to create a plugin to work around the inserting media into post
 issue. It will:

 1) filter content_save_pre and content_edit_pre to serve site assets as
 https in the visual editor, while storing them as http in the database.

 2) filter the_content to serve site assets as https, in the event that a
 logged in user is viewing the front end (i.e. has clicked from the admin
 to the view the front end) so they won't then see broken images.

 3) probably include Kurt Payne's ssl_proxy for externally hosted media,
 now that I see how it's done (thanks Kurt!)

 Perhaps my content_save_pre, content_edit_pre and the_content filters
 should be part of a unified patch that addresses #15928, #18017, #19037
 and #19023

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/19023#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list