Fix absolutize URL for several cases

[Alkarex]

There were a number of bugs related to the fact that Item::get_links() and Item::get_base() call each-other, making a nice mess during initialisation. See tests.

Furthermore, the standard Atom 1.0 self link was not supported for absolutize URL, wrongly using only alternate. In the same PR because otherwise the tests from both PRs would fail.

[Alkarex]

Running the additional tests without the patches returns:

There were 4 failures:

1) SimplePie\Tests\Unit\EnclosureTest::test_get_link with data set "Test RSS 2.0 with channel link and enclosure" ('            <rss version="2.0...</rss>', 'http://example.net/images/3.jpg')
Failed asserting that two strings are identical.
--- Expected
+++ Actual
@@ @@
-'http://example.net/images/3.jpg'
+'/images/3.jpg'

/home/alex/GitHub/simplepie/tests/Unit/EnclosureTest.php:40

2) SimplePie\Tests\Unit\EnclosureTest::test_get_link with data set "Test RSS 2.0 with Atom channel link and enclosure" ('            <rss version="2.0...</rss>', 'http://example.net/images/4.jpg')
Failed asserting that two strings are identical.
--- Expected
+++ Actual
@@ @@
-'http://example.net/images/4.jpg'
+'/images/4.jpg'

/home/alex/GitHub/simplepie/tests/Unit/EnclosureTest.php:40

3) SimplePie\Tests\Unit\ItemTest::test_get_permalink with data set "Test RSS 2.0 with channel link and enclosure from another domain" ('<rss version="2.0" xmlns:medi...</rss>', 'http://example.net/tests/1/')
Failed asserting that two strings are identical.
--- Expected
+++ Actual
@@ @@
-'http://example.net/tests/1/'
+'http://example.com/tests/1/'

/home/alex/GitHub/simplepie/tests/Unit/ItemTest.php:3436

4) SimplePie\Tests\Unit\ItemTest::test_get_permalink with data set "Test RSS 2.0 with Atom channel link and relative enclosure" ('<rss version="2.0" xmlns:atom...</rss>', 'http://example.net/tests/2/')
Failed asserting that two strings are identical.
--- Expected
+++ Actual
@@ @@
-'http://example.net/tests/2/'
+'/tests/2/'

/home/alex/GitHub/simplepie/tests/Unit/ItemTest.php:3436

FAILURES!
Tests: 2044, Assertions: 2926, Failures: 4.
Script phpunit handling the test event returned with error code 1

[Alkarex]

This was the original bug I faced, which had me investigate the issue (which turned out to be more severe and complex than anticipated...)

[Alkarex]

Was wrongly returning /images/3.jpg before this patch

[Alkarex]

Was wrongly returning /images/4.jpg before this patch

[Alkarex]

Was wrongly returning http://example.com/tests/1/ before this patch (side-effect of the enclosure)

[Alkarex]

There were no tests for this section and I have not added any. Help welcome if anyone is motivated.
For sure not providing the base URL will lead to wrong absolute URLs

[jtojnar]

Not providing the base URL will result in the original URL to be returned:

simplepie/src/Sanitize.php

Line 539 in 52c764f

$absolute = $this->registry->call(Misc::class, 'absolutize_url', [$data, $base]);

But I guess we want to at least support xml:base (as that is the only well defined standard for resolving URLs) so this change makes sense.

[Alkarex]

Downstream PR FreshRSS/FreshRSS#6270

[jtojnar]

Original RSS specification requires URLs to include scheme. I would expect that if the feed has relative URLs the content is taken from the HTML (alternate) version unchanged, and so the links should be resolved relative to that.

[jtojnar]

This is also reflected in the previous definition, as self link is basically the canonical version of subscribe URL.

[jtojnar]

Though I guess self before alternate might make sense for mrss elements, since those only exist in the feed. (But really, it will depend on how the feed is generated. mrss only mandates direct URL, which is not very useful.)

[jtojnar]

Looks like https://www.rssboard.org/news/151/relative-links discusses this and recommends self link as a fallback, not mentioning alternate at all. (Note that URLs in the comments are displayed as domains, you will need to check the link href for the examples to make sense.)

And for completeness Atom only seems to mention xml:base:

Any element defined by this specification MAY have an xml:base attribute [W3C.REC-xmlbase-20010627]. When xml:base is used in an Atom Document, it serves the function described in section 5.1.1 of RFC3986, establishing the base URI (or IRI) for resolving any relative references found within the effective scope of the xml:base attribute.

And, as mentioned in one of the comments on the RSS article, the xml:base specification also suggests the document URI (i.e. subscribe URL after redirects, which I would expect to match self link) for the fallback:

The attribute xml:base may be inserted in XML documents to specify a base URI other than the base URI of the document or external entity.

[Alkarex]

Just to follow-up on this. It looks like we agree, right? In other words, there does not seem to be any (new) test in contradiction.

[jtojnar]

Looks like rssboard.org/news/151/relative-links discusses this and recommends self link as a fallback, not mentioning alternate at all.

Reading through the article and comments again, it only mentions /rss/channel/link, which would correspond to alternate link – not sure why I thought it was talking about self. So I am back to thinking we should swap self and alternate in the priority list:

• Feed is most likely generated from HTML page so the it is quite likely relative links were just left as is from the HTML content.
• As Paul Victor mentions, using the feed address would break relative links if the feed were to be moved.
• self → alternate → feed URL jumps from feed to HTML and back to feed. It would be more natural to first try HTML and then fall back to feed.

The tests are still green with xml:base → alternate → self → feed URL order.

[Alkarex]

Done

[Alkarex]

@jtojnar Arguably less urgent than other matters, but this PR can be considered for merging in my opinion

[jtojnar]

Thanks. Finally gotten around to doing thorough review, sorry it took so long. It looks okay but I have few more questions.

[jtojnar]

This is weird but looks like get_permalink was always like this – bce917d.

[jtojnar]

greping for CONSTRUCT_IRI), looks like Source::get_image_url and SimplePie::get_image_url suffer from the same issue of missing base.

[jtojnar]

Not providing the base URL will result in the original URL to be returned:

simplepie/src/Sanitize.php

Line 539 in 52c764f

$absolute = $this->registry->call(Misc::class, 'absolutize_url', [$data, $base]);

But I guess we want to at least support xml:base (as that is the only well defined standard for resolving URLs) so this change makes sense.

[jtojnar]

Due to low coverage of this code I am not fully confident in the correctness but from going through the code, aside from the self×alternate ordering, it looks good enough for me. This is not critical path and we can always fix regressions when reported.

What do you think, @Art4?

---

Ideally, this would be split in three PRs/commits:

1. Item: Simplify base path
2. Item: Support relative URIs everywhere
3. SimplePie: Support self link as feed base URL

As for the failing tests when split, only the two following require both first and third change, so I would simply include in the third change and have it depend on the first one:

• SimplePie\Tests\Unit\EnclosureTest::test_get_link with data set "Test RSS 2.0 with Atom channel link and enclosure"
• SimplePie\Tests\Unit\ItemTest::test_get_permalink with data set "Test RSS 2.0 with Atom channel link and relative enclosure"

But I won’t block on that.

---

If you do not want to bother splitting it, I propose squashing with the following commit message:

Fix several cases of URL absolutization

- Item: Simplify base path

  `Item::get_base()` calls `Item::get_permalink()` → `Item::get_link()` → `Item::get_links()`, which called `Item::get_base()`.
  The cycle was overly confusing and only get broken in second `Item::get_links()` call.
  Furthermore, the second call of `Item::get_permalink()` would return enclosure URL, which makes little sense to use as a base URI.
  (`Item::get_permalink()` was always like this: bce917d6831cc4b799546282a88475d038011584.)

  Let’s introduce a new `Item::get_own_base()` method restricted to `xml:base` and feed base, and use it instead of `Item::get_base()`.

  Also clarify in docs that `Item::get_base()` uses the enclosure link.

- Item: Support relative URIs everywhere

  Original RSS specification requires URLs to include scheme:
  https://www.rssboard.org/rss-specification#comments
  but relative URLs are somewhat commonly used:
  https://www.rssboard.org/news/151/relative-links

  We already construct some IRIs with `Item::get_own_base()` as base so that we support relative URLs.
  Let’s do that with the rest of the IRIs as well.

- SimplePie: Support self link as feed base URL

  If a RSS feed lacks the mandatory `/rss/channel/link` element and does not specify `xml:base`,
  the only base we can use for resolving relative URIs is the address of the feed itself.
  However, that might not be reliable when the feed is served from different location,
  or even available if loaded using `SimplePie::set_raw_data()`.

  Let’s try using `self` link if present, since it should provide more reliable location
  than the URI the feed was obtained from.

These changes were combined into a single PR because the tests are a bit tangled.

[Art4]

@jtojnar LGTM. And as you said we can always fix regressions when reported.