Fix: upgrade hotlinked http URLs on HTTPS

author: yo momma <shutup@oops.wtf> 2026-01-30 08:46:18 +0000
committer: yo momma <shutup@oops.wtf> 2026-01-30 08:46:18 +0000
commit: 5aea6f7791d9a5238581b04d2198205c90495baf (patch)
tree: 35e550bd2d58b756ad018708955123f616212b47
parent: 2e71933790cb3223f7690335eeb66c0c187dbec0 (diff)
4 files changed, 40 insertions, 18 deletions
diff --git a/static/js/pichat.butt.js b/static/js/pichat.butt.js
index 3f16519..220e873 100755
--- a/static/js/pichat.butt.js
+++ b/static/js/pichat.butt.js
@@ -52,11 +52,16 @@ function escapeHtml(txt) {
 
 function normalizeUrl(url) {
     if (!url) { return url; }
-    var lowerurl = url.toLowerCase();
-    if (lowerurl.indexOf('http://') == 0 || lowerurl.indexOf('https://') == 0 || lowerurl.indexOf('ftp://') == 0 || lowerurl.indexOf('//') == 0)
-        return url;
+    var trimmed = url.trim();
+    var lowerurl = trimmed.toLowerCase();
+    if (lowerurl.indexOf('//') == 0 || lowerurl.indexOf('https://') == 0 || lowerurl.indexOf('ftp://') == 0)
+        return trimmed;
+    if (lowerurl.indexOf('http://') == 0) {
+        if (location && location.protocol == 'https:') return 'https://' + trimmed.substr('http://'.length);
+        return trimmed;
+    }
     var scheme = (location && location.protocol == 'https:') ? 'https://' : 'http://';
-    return scheme + url;
+    return scheme + trimmed;
 }
 
 URLRegex = /((\b(http\:\/\/|https\:\/\/|ftp\:\/\/)|(www\.))+(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?)/gi;
@@ -68,9 +73,10 @@ function getImagesAsArray(text) {
   if (urls === null) return imgs
   for (var i = 0; i<urls.length; i++){
     var url = urls[i]
-    var urlWithoutParams = url.replace(/\?.*$/i, "");
+    var normalized = normalizeUrl(url);
+    var urlWithoutParams = normalized.replace(/[?#].*$/i, "");
     if (PicRegex.test(urlWithoutParams))
-      imgs.push(url)
+      imgs.push(normalized)
   }
   return imgs
 }
diff --git a/static/js/pichat.js b/static/js/pichat.js
index 67969d8..2283baf 100755
--- a/static/js/pichat.js
+++ b/static/js/pichat.js
@@ -2125,9 +2125,10 @@ function getImagesAsArray(text) {
   if (urls === null) return imgs
   for (var i = 0; i<urls.length; i++){
     var url = urls[i]
-    var urlWithoutParams = url.replace(/\?.*$/i, "");
+    var normalized = normalizeUrl(url);
+    var urlWithoutParams = normalized.replace(/[?#].*$/i, "");
     if (PicRegex.test(urlWithoutParams))
-      imgs.push(url)
+      imgs.push(normalized)
   }
   return imgs
 }
@@ -2330,11 +2331,18 @@ String.prototype.trim = function(){ return this.replace(/^\s+|\s+$/g,'') }
 
 function normalizeUrl(url) {
     if (!url) { return url; }
-    var lowerurl = url.toLowerCase();
-    if (lowerurl.indexOf('http://') == 0 || lowerurl.indexOf('https://') == 0 || lowerurl.indexOf('ftp://') == 0 || lowerurl.indexOf('//') == 0)
-        return url;
+    var trimmed = url.trim();
+    var lowerurl = trimmed.toLowerCase();
+    if (lowerurl.indexOf('//') == 0 || lowerurl.indexOf('https://') == 0 || lowerurl.indexOf('ftp://') == 0)
+        return trimmed;
+    if (lowerurl.indexOf('http://') == 0) {
+        // On HTTPS pages, modern browsers will auto-upgrade or block insecure image loads.
+        // Prefer upgrading ourselves so hotlinked images render when the host supports HTTPS.
+        if (location && location.protocol == 'https:') return 'https://' + trimmed.substr('http://'.length);
+        return trimmed;
+    }
     var scheme = (location && location.protocol == 'https:') ? 'https://' : 'http://';
-    return scheme + url;
+    return scheme + trimmed;
 }
 
 function isCSSPropertySupported(prop){ return prop in document.body.style }
diff --git a/static/js/src/text.js b/static/js/src/text.js
index f426255..6fe5c3c 100755
--- a/static/js/src/text.js
+++ b/static/js/src/text.js
@@ -25,9 +25,10 @@ function getImagesAsArray(text) {
   if (urls === null) return imgs
   for (var i = 0; i<urls.length; i++){
     var url = urls[i]
-    var urlWithoutParams = url.replace(/\?.*$/i, "");
+    var normalized = normalizeUrl(url);
+    var urlWithoutParams = normalized.replace(/[?#].*$/i, "");
     if (PicRegex.test(urlWithoutParams))
-      imgs.push(url)
+      imgs.push(normalized)
   }
   return imgs
 }
diff --git a/static/js/src/util.js b/static/js/src/util.js
index 2a3dc52..69740ff 100755
--- a/static/js/src/util.js
+++ b/static/js/src/util.js
@@ -18,11 +18,18 @@ String.prototype.trim = function(){ return this.replace(/^\s+|\s+$/g,'') }
 
 function normalizeUrl(url) {
     if (!url) { return url; }
-    var lowerurl = url.toLowerCase();
-    if (lowerurl.indexOf('http://') == 0 || lowerurl.indexOf('https://') == 0 || lowerurl.indexOf('ftp://') == 0 || lowerurl.indexOf('//') == 0)
-        return url;
+    var trimmed = url.trim();
+    var lowerurl = trimmed.toLowerCase();
+    if (lowerurl.indexOf('//') == 0 || lowerurl.indexOf('https://') == 0 || lowerurl.indexOf('ftp://') == 0)
+        return trimmed;
+    if (lowerurl.indexOf('http://') == 0) {
+        // On HTTPS pages, modern browsers will auto-upgrade or block insecure image loads.
+        // Prefer upgrading ourselves so hotlinked images render when the host supports HTTPS.
+        if (location && location.protocol == 'https:') return 'https://' + trimmed.substr('http://'.length);
+        return trimmed;
+    }
     var scheme = (location && location.protocol == 'https:') ? 'https://' : 'http://';
-    return scheme + url;
+    return scheme + trimmed;
 }
 
 function isCSSPropertySupported(prop){ return prop in document.body.style }
author	yo momma <shutup@oops.wtf>	2026-01-30 08:46:18 +0000
committer	yo momma <shutup@oops.wtf>	2026-01-30 08:46:18 +0000
commit	5aea6f7791d9a5238581b04d2198205c90495baf (patch)
tree	35e550bd2d58b756ad018708955123f616212b47
parent	2e71933790cb3223f7690335eeb66c0c187dbec0 (diff)