fix(feed): sanitizeMediaUrl 自动把 http:// 升级到 https://#345
Merged
Conversation
后端 OgFetchService 已在抓取阶段把 og:image 升到 https,这里是 defense-in-depth: - 历史数据未回填的 http:// 封面仍能在 feed 卡片显示 - LLM 兜底回填或未来新 site adapter 漏 https 升级时前端兜一层 - HTTPS 页面加载 http:// 图片会被 mixed-content policy 拦掉显示成裂图, 线上 /feed 上小红书两条卡片就是这个症状 不动相对路径("/x.jpg")和已是 https 的 URL;非 http(s) 协议在 sanitize 阶段 就被白名单拒了,走不到升级分支。
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
本 PR 针对 /feed 链接卡片封面在 HTTPS 页面上因 http:// 图片触发 mixed content 而裂图的问题,在前端的 sanitizeMediaUrl 中增加 通过白名单校验后的 http→https 自动升级,作为后端抓取升级的 defense-in-depth。
Changes:
sanitizeMediaUrl在通过http(s)白名单校验后,将http://URL 升级为https://- 补充/更新
sanitizeMediaUrl的注释,说明 mixed-content 背景与兜底策略
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (!safe) return null; | ||
| // 显式判前缀避免误升级相对路径("/x.jpg" 不会进这里,但保险) | ||
| if (safe.toLowerCase().startsWith("http://")) { | ||
| return "https://" + safe.substring(7); |
Comment on lines
+58
to
+67
| export function sanitizeMediaUrl( | ||
| raw: string | undefined | null, | ||
| ): string | null { | ||
| return sanitize(raw, SAFE_MEDIA_PROTOCOLS, true); | ||
| const safe = sanitize(raw, SAFE_MEDIA_PROTOCOLS, true); | ||
| if (!safe) return null; | ||
| // 显式判前缀避免误升级相对路径("/x.jpg" 不会进这里,但保险) | ||
| if (safe.toLowerCase().startsWith("http://")) { | ||
| return "https://" + safe.substring(7); | ||
| } | ||
| return safe; |
Copilot CR 指出两个问题: 1. http:// → https:// 用字符串拼接会保留显式端口 —— "http://x.com:80/" 升成 "https://x.com:80/" 后浏览器拿 80 走 TLS 必失败 2. 升级逻辑没有单测 修复: - 用 new URL(safe) 改 protocol = "https:",并在 port === "80" 时清空 - 非 80 端口保留(用户跑 https on 8443 等场景) - 相对路径不走 URL parser,原样返回 - 新增 tests/url-safety.test.ts,14 条 case 覆盖:https 原样 / http 升级 / 大小写 / :80 清空 / :8080 保留 / path-query-hash 保留 / 相对路径 / 协议相对 拒绝 / javascript: / data: / vbscript: / mailto: 在媒体场景拒 / 空值 49/49 vitest 通过。 Co-authored-by: copilot-pull-request-reviewer[bot] <copilot-pull-request-reviewer[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
背景
线上 /feed 卡片封面:13 条里只有 4 条能正常显示,其中 2 条小红书因为
og_cover存的是http://sns-webpic-qc.xhscdn.com/...,HTTPS 页面被浏览器 mixed-content policy 拦成裂图。修复
sanitizeMediaUrl通过白名单校验后再做一次 http→https 升级。后端 PR (InvolutionHell/involutionhell-backend#33) 已经在抓取阶段升级 og:image,这里是 defense-in-depth:
/x.jpg)和已是 https 的 URLTest plan
vitest run34/34 通过