ensure absolute URLs in emails

Author: microstudi

decidim-blogs/spec/events/decidim/blogs/create_post_event_spec.rb

@@ -21,4 +21,32 @@
       expect(subject.resource_text).to eq translated(resource.body)
     end
   end
+
+  describe "email rendering with images" do
+    let(:body_with_image) do
+      {
+        en: '<p>Check: <img src="/rails/active_storage/blobs/redirect/12345.JPG" alt="image" /></p>',
+        ca: '<p>Mira: <img src="/rails/active_storage/blobs/redirect/12345.JPG" alt="image" /></p>',
+        es: '<p>Mira: <img src="/rails/active_storage/blobs/redirect/12345.JPG" alt="image" /></p>'
+      }
+    end
+    let(:resource) { create(:post, title: generate_localized_title(:blog_title), body: body_with_image) }
+    let(:organization) { resource.component.organization }
+
+    it "includes transformed image URLs in notification email body" do
+      mail = Decidim::NotificationMailer.event_received(
+        event_name,
+        "Decidim::Blogs::CreatePostEvent",
+        resource,
+        user,
+        :follower,
+        {}
+      )
+
+      root_url = Decidim::EngineRouter.new("decidim", {}).root_url(host: organization.host)[0..-2]
+      expected_img = %(<img src="#{root_url}/rails/active_storage/blobs/redirect/12345.JPG" alt="image" />)
+
+      expect(mail.body.encoded).to include(expected_img)
+    end
+  end
 end

decidim-core/app/helpers/decidim/newsletters_helper.rb

@@ -3,6 +3,8 @@
 module Decidim
   # Helper that provides methods to render links with utm codes, and replaced name
   module NewslettersHelper
+    include Decidim::SanitizeHelper
+
     # If the newsletter body there are some links and the Decidim.track_newsletter_links = true
     # it will be replaced with the utm_codes method described below.
     # for example transform "https://es.lipsum.com/" to "https://es.lipsum.com/?utm_source=localhost&utm_campaign=newsletter_11"
@@ -19,7 +21,7 @@ def parse_interpolations(content, user = nil, id = nil)
 
       content = interpret_name(content, user)
       content = track_newsletter_links(content, id, host)
-      transform_image_urls(content, host)
+      decidim_transform_image_urls(content, host)
     end
 
     # this method is used to generate the root link on mail with the utm_codes
@@ -67,27 +69,6 @@ def interpret_name(content, user)
       content.gsub("%{name}", user.name)
     end
 
-    # Find each img HTML tag with relative path in src attribute
-    # For each URL, prepends the decidim.root_url
-    #   If host is not defined it returns full content
-    #
-    # @param content [String] - the string to convert
-    # @param host [String] - the Decidim::Organization host to replace
-    #
-    # @return [String] - the content converted
-    #
-    def transform_image_urls(content, host)
-      return content if host.blank?
-
-      content.scan(/src\s*=\s*"([^"]*)"/).each do |src|
-        root_url = decidim.root_url(host:)[0..-2]
-        src_replaced = "#{root_url}#{src.first}"
-        content = content.gsub(/src\s*=\s*"([^"]*#{src.first})"/, %(src="#{src_replaced}"))
-      end
-
-      content
-    end
-
     # Add tracking query params to each links
     #
     # @param content [String] - the string to convert

decidim-core/app/helpers/decidim/sanitize_helper.rb

@@ -139,5 +139,31 @@ def render_sanitized_content(resource, method, presenter_class: nil)
 
       decidim_sanitize_editor(content)
     end
+
+    # Transforms relative image URLs in HTML content to absolute URLs using the provided host.
+    # This is used in emails (newsletters and notifications) to ensure images display correctly
+    # in email clients.
+    #
+    # @param content [String] - HTML content with img tags
+    # @param host [String] - the Decidim::Organization host to use for the root URL
+    #
+    # @return [String] - the content with transformed image URLs
+    def decidim_transform_image_urls(content, host)
+      return content if host.blank? || content.blank?
+
+      root_url = Decidim::EngineRouter.new("decidim", {}).root_url(host:).chomp("/")
+
+      content.gsub(/src\s*=\s*(['"])([^'"]*)\1/) do
+        quote = Regexp.last_match(1)
+        src_value = Regexp.last_match(2)
+
+        if src_value.blank? || src_value.start_with?("http://", "https://", "data:", "//", "cid:")
+          %(src=#{quote}#{src_value}#{quote})
+        else
+          normalized_src = src_value.start_with?("/") ? src_value : "/#{src_value}"
+          %(src=#{quote}#{root_url}#{normalized_src}#{quote})
+        end
+      end
+    end
   end
 end

decidim-core/app/mailers/decidim/application_mailer.rb

@@ -8,7 +8,10 @@ class ApplicationMailer < ActionMailer::Base
     include MultitenantAssetHost
     include Decidim::SanitizeHelper
     include Decidim::OrganizationHelper
-    helper_method :organization_name, :decidim_escape_translated, :decidim_sanitize_translated, :translated_attribute, :decidim_sanitize, :decidim_sanitize_newsletter
+
+    helper Decidim::SanitizeHelper
+    helper_method :organization_name, :current_locale, :decidim_escape_translated, :decidim_sanitize_translated, :translated_attribute, :decidim_sanitize,
+                  :decidim_sanitize_newsletter
 
     after_action :set_smtp
     after_action :set_from

decidim-core/app/views/decidim/notification_mailer/event_received.html.erb

@@ -15,7 +15,7 @@
 
   <blockquote>
     <p>
-      <%= @event_instance.safe_resource_text %>
+      <%= decidim_transform_image_urls(@event_instance.safe_resource_text, @organization.host).html_safe %>
     </p>
   </blockquote>
 <% end %>
@@ -28,7 +28,7 @@
   <p style="font-weight: bold"><%= t(".translated_text") %></p>
   <blockquote>
     <p>
-      <%= @event_instance.safe_resource_translated_text %>
+      <%= decidim_transform_image_urls(@event_instance.safe_resource_translated_text, @organization.host).html_safe %>
     </p>
   </blockquote>
 <% end %>
@@ -40,7 +40,7 @@
         <table>
           <tr>
             <td>
-              <%= link_to @event_instance.button_text, @event_instance.button_url, target: :blank %>
+              <%= link_to decidim_sanitize(@event_instance.button_text, strip_tags: true), @event_instance.button_url, target: :blank %>
             </td>
           </tr>
         </table>

decidim-core/spec/helpers/decidim/newsletters_helper_spec.rb

@@ -31,8 +31,9 @@ module Decidim
       end
 
       it "transforms image URLs with the host" do
-        expect(subject).to include('<img src="http://localhost/rails/active_storage/blobs/redirect/12345.JPG"')
-        expect(subject).to include('<img src="http://localhost/rails/active_storage/blobs/redirect/56789.JPG"')
+        root_url = Decidim::EngineRouter.new("decidim", {}).root_url(host: organization.host)[0..-2]
+        expect(subject).to include(%(<img src="#{root_url}/rails/active_storage/blobs/redirect/12345.JPG"))
+        expect(subject).to include(%(<img src="#{root_url}/rails/active_storage/blobs/redirect/56789.JPG"))
       end
 
       context "when track_newsletter_links is false" do
@@ -99,22 +100,5 @@ module Decidim
         it { is_expected.to include("<p>Hello, </p>") }
       end
     end
-
-    describe "#transform_image_urls" do
-      subject { helper.send(:transform_image_urls, text, organization.host) }
-
-      it "transforms image URLs with the host" do
-        expect(subject).to include('<img src="http://localhost/rails/active_storage/blobs/redirect/12345.JPG"')
-        expect(subject).to include('<img src="http://localhost/rails/active_storage/blobs/redirect/56789.JPG"')
-      end
-
-      context "when host is not present" do
-        subject { helper.send(:transform_image_urls, text, nil) }
-
-        it "returns the full content" do
-          expect(subject).to eq text
-        end
-      end
-    end
   end
 end

decidim-core/spec/helpers/decidim/sanitize_helper_spec.rb

@@ -104,6 +104,70 @@ module Decidim
           expect(helper.decidim_sanitize('<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA..." onerror="alert(\'XSS\')">', strip_tags: false)).not_to include("onerror")
         end
       end
+
+      context "when decidim_transform_image_urls is invoked" do
+        let(:host) { "example.org" }
+
+        let(:user_input) do
+          %{(<p>Hello, %{name}</p>
+          <a href="https://meta.decidim.org">Link</a>
+          <img src="/rails/active_storage/blobs/redirect/12345.JPG" alt="image" />
+          <a href="https://meta.decidim.org/">Link</a>
+          <img src="/rails/active_storage/blobs/redirect/56789.JPG" alt="second image" />)}
+        end
+
+        subject { helper.send(:decidim_transform_image_urls, user_input, host) }
+
+        it "transforms image URLs with the host" do
+          root_url = Decidim::EngineRouter.new("decidim", {}).root_url(host:)[0..-2]
+          expect(subject).to include(%(<img src="#{root_url}/rails/active_storage/blobs/redirect/12345.JPG"))
+          expect(subject).to include(%(<img src="#{root_url}/rails/active_storage/blobs/redirect/56789.JPG"))
+        end
+
+        context "when a relative src matches the suffix of an absolute URL" do
+          let(:user_input) do
+            %(<img src="/image.jpg" alt="relative" /><img src="https://example.com/image.jpg" alt="absolute" />)
+          end
+
+          it "transforms only the relative URL" do
+            root_url = Decidim::EngineRouter.new("decidim", {}).root_url(host:)[0..-2]
+
+            expect(subject).to include(%(<img src="#{root_url}/image.jpg" alt="relative" />))
+            expect(subject).to include(%(<img src="https://example.com/image.jpg" alt="absolute" />))
+          end
+        end
+
+        context "when src uses data/protocol-relative/cid URLs" do
+          let(:user_input) do
+            %(<img src="data:image/png;base64,AAAA" alt="data" />
+<img src="//cdn.example.org/image.jpg" alt="protocol-relative" />
+<img src="cid:logo@example.org" alt="cid" />)
+          end
+
+          it "keeps them unchanged" do
+            expect(subject).to include(%(src="data:image/png;base64,AAAA"))
+            expect(subject).to include(%(src="//cdn.example.org/image.jpg"))
+            expect(subject).to include(%(src="cid:logo@example.org"))
+          end
+        end
+
+        context "when src attribute is single-quoted" do
+          let(:user_input) { "<img src='/image.jpg' alt='relative' />" }
+
+          it "transforms the URL preserving single quotes" do
+            root_url = Decidim::EngineRouter.new("decidim", {}).root_url(host:).chomp("/")
+            expect(subject).to include(%(<img src='#{root_url}/image.jpg' alt='relative' />))
+          end
+        end
+
+        context "when host is not present" do
+          subject { helper.send(:decidim_transform_image_urls, user_input, nil) }
+
+          it "returns the full content" do
+            expect(subject).to eq user_input
+          end
+        end
+      end
     end
   end
 end