From a536f94c8d1796d34741d0f10b474b5ec67b496a Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Thu, 17 Dec 2015 09:59:53 +0300
Subject: [PATCH] sanitize: clear out @srcset/@sizes on images leading to http
 sites when running over https

---
 include/functions2.php | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/include/functions2.php b/include/functions2.php
index 0386b52e..1a0cb6d2 100755
--- a/include/functions2.php
+++ b/include/functions2.php
@@ -892,6 +892,8 @@
 
 		$entries = $xpath->query('(//a[@href]|//img[@src])');
 
+		$ttrss_uses_https = parse_url(get_self_url_prefix(), PHP_URL_SCHEME) === 'https';
+
 		foreach ($entries as $entry) {
 
 			if ($site_url) {
@@ -916,6 +918,21 @@
 				}
 
 				if ($entry->nodeName == 'img') {
+					if ($entry->hasAttribute('src')) {
+						$is_https_url = parse_url($entry->getAttribute('src'), PHP_URL_SCHEME) === 'https';
+
+						if ($ttrss_uses_https && !$is_https_url) {
+
+							if ($entry->hasAttribute('srcset')) {
+								$entry->removeAttribute('srcset');
+							}
+
+							if ($entry->hasAttribute('sizes')) {
+								$entry->removeAttribute('sizes');
+							}
+						}
+					}
+
 					if (($owner && get_pref("STRIP_IMAGES", $owner)) ||
 							$force_remove_images || $_SESSION["bw_limit"]) {
 
-- 
2.39.5