[Plugin: Image Widget] FORCE_SSL_ADMIN results in https:// links to image

  • aerobrent

    (@aerobrent)


    13 years ago

    I did not see this posted yet, but I notice that if I have FORCE_SSL_ADMIN configured for my site, and I insert images into the widget when logged in under SSL, the links that get stored pointing to the image source are HTTPS rather than HTTP. This is not always the desired result, and often is not desired at all.

    There doesn’t seem to be a way to change the links except manually in the database. Does anyone know a work-around?

    Perhaps when inserting a photo, there needs to be a radio button to allow the selection of HTTP or HTTPS when serving up the image.

    – Brent

    https://www.ads-software.com/extend/plugins/image-widget/

Viewing 12 replies - 1 through 12 (of 12 total)
  • Thread Starter aerobrent

    (@aerobrent)

    I see where this is happening, and is the result of an “HTTPS” enhancement of the plugin a while back.

    if( $_SERVER[“HTTPS”] == “on” ) {
    $instance[‘imageurl’] = str_replace(‘https://’, ‘https://’, $instance[‘imageurl’]);
    }

    The problem is that this is not a valid assumption. More often than not, people editing with FORCE_SSL_ADMIN enabled will not want their live content being served up via SSL. This is especially true if the live site has a self signed SSL cert.

    Perhaps this bit of HTTPS code could be reworked.

    You have any suggestions of a rewrite?

    Bump.

    if( $_SERVER[“HTTPS”] == “on” ) {
    $instance[‘imageurl’] = str_replace(‘https://’, ‘https://’, $instance[‘imageurl’]);
    }

    Move it to image-widget/views/widget.php ?

    you guys are awesome! I’m watching this closely and am eager to post the fix.

    so basically what you’re saying is that you’ve got the admin in https so the image widget is trying to put the images behind SSL?

    Are you suggesting that that code should be removed? Or should we use if ( $_SERVER[“HTTPS”] == “on” && !defined( ‘FORCE_SSL_ADMIN’ ) )?

    I added this code based on a user submission but never really tested it since it’s never applied to me. I’m working in the blind on this one.

    Thread Starter aerobrent

    (@aerobrent)

    so basically what you’re saying is that you’ve got the admin in https so the image widget is trying to put the images behind SSL?

    Yeah, that’s the issue, but not sure of the best solution. You can’t really assume the presence or lack of FORCE_SSL_ADMIN would indicate whether you want images to be served with HTTPS or not.

    Can the images be inserted with relative links? IE, HTTP or HTTPS isn’t hard coded?

    I don’t know if it’s safe to assume relative links. I am concerned that that sort of update might also break existing installs… but not sure without further investigation.

    I assume you’re using FORCE_SSL_ADMIN. Is that just for the admin area?

    Here’s another idea….

    Add a new constant just for the image widget. default to not using https at all. But if you defined FORCE_SSL_IMAGE_WIDGET to be true, and HTTPS is on, then the image widget uses https.

    That way people who need the existing https feature can reapply it simply by updating the wp-config.php file.

    If the site is loaded over HTTP, the image should be loaded over HTTP as well.
    If the site is loaded over HTTPS, the image should be loaded over HTTPS as well.

    My yesterdays hack was to add some nasty code to image-widget/views/widget.php (see line 19-25):

    https://pastebin.com/LaMxiUsF

    Not elegant, but working.

    Cool Thanks! Here’s what I’m thinking then…

    in the initialization i’ll add this:

    add_filter( 'image_widget_image_url', array( $this, 'https_cleanup' ) );

    I’ll update the view function as follows:

    /**
 * Widget frontend output
 *
 * @param array $args
 * @param array $instance
 * @author Modern Tribe, Inc. (Peter Chester)
 */
function widget( $args, $instance ) {
	extract( $args );
	extract( $instance );
	if ( !empty( $imageurl ) ) {
		$title = apply_filters( 'widget_title', empty( $title ) ? '' : $title );
		$imageurl = apply_filters( 'image_widget_image_url', $imageurl, $args, $instance );
		include( $this->getTemplateHierarchy( 'widget' ) );
	}
}

    And add the following function:

    /**
 * Adjust the image url on output to account for SSL.
 *
 * @param string $imageurl
 * @return string $imageurl
 */
function https_cleanup( $imageurl = '' ) {
	if( isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on" ) {
		$imageurl = str_replace('https://', 'https://', $imageurl);
	} else {
		$imageurl = str_replace('https://', 'https://', $imageurl);
	}
	return $imageurl;
}

    And remove the previous HTTPS code. The benefit of this approach is that someone can choose to remove_filter to bypass this https prefixing or even do their own thing.

    I’ve updated trunk as such. I’ve tried it out as a non SSL / non HTTPS user and it’s working fine but I haven’t tested HTTPS / SSL.

    Can you guys test it out?

    https://downloads.www.ads-software.com/plugin/image-widget.zip
    – OR –
    https://plugins.svn.www.ads-software.com/image-widget/trunk

    Hmmm. Now all images no load over http, which is much better actually.

    Once I moved

    add_filter( ‘image_widget_image_url’, array( $this, ‘https_cleanup’ ) );

    out of admin_setup() and added it to the end of Tribe_Image_Widget() it’s been working as expected.

    I’m happy as is. ??

    @peter Chester:

    • don’t do your own HTTPS detect, use is_ssl(), it’s more comprehensive
    • I wouldn’t bother messing with fixing images for HTTP, they’ll work
    • if you do want to make the images load on the page with the same protocol as the page, whether that’s HTTP or HTTPS, just trim off the protocol: preg_replace('/^https?:/i', '', $imageurl);

    cheers,
    Ross

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘[Plugin: Image Widget] FORCE_SSL_ADMIN results in https:// links to image’ is closed to new replies.