Merge pull request #754 from Badsender-com/fix-decode-format-href

Fix: don't encode href and src values

Author: FlorianGille

packages/server/utils/process-mosaico-html-render.js

@@ -33,7 +33,9 @@ function secureHtml(html) {
 
 // We don't want to manage any special format inside href now. We let the reponsability to users to decode
 // themselves links in href (but only for href values) that's why we use this regex below
-const globalRegexp = /href="(.+?)"/g;
+const hrefRegexp = /href="(.+?)"/g;
+
+const srcRegexp = /src="(.+?)"/g;
 
 const decodeTag = (match, tag, fun = (value) => value) => {
   let decodedTag = htmlEntities.decode(tag);
@@ -45,18 +47,26 @@ const decodeTag = (match, tag, fun = (value) => value) => {
   return decodedTag;
 };
 
-function decodeGlobalTags(html) {
+function decodeHrefTags(html) {
   return html.replace(
-    globalRegexp,
+    hrefRegexp,
     (match, tag) => `href="${decodeTag(match, tag)}"`
   );
 }
 
+function decodeSrcTags(html) {
+  return html.replace(
+    srcRegexp,
+    (match, tag) => `src="${decodeTag(match, tag)}"`
+  );
+}
+
 const basicHtmlProcessing = _.flow(
   removeTinyMceExtraBrTag,
   replaceTabs,
   secureHtml,
-  decodeGlobalTags
+  decodeHrefTags,
+  decodeSrcTags
 );
 
 module.exports = basicHtmlProcessing;