Fix invalid URL protocol for local development

.github/workflows/build-test-measure.yml

@@ -542,6 +542,10 @@ jobs:
         if: needs.pre-run.outputs.changed-php-count > 0
         run: cp -r "$PWD" "$WP_CORE_DIR/src/wp-content/plugins/amp"
 
+      - name: Setup required WP constants
+        run: |
+          echo "WP_ENVIRONMENT_TYPE=local" >> $GITHUB_ENV
+
       - name: Run tests
         if: ${{ matrix.coverage == false && needs.pre-run.outputs.changed-php-count > 0 }}
         run: vendor/bin/phpunit --verbose

includes/amp-helper-functions.php

@@ -1450,6 +1450,16 @@ function amp_is_dev_mode() {
 			( is_admin_bar_showing() && is_user_logged_in() )
 			||
 			is_customize_preview()
+			||
+			(
+				! is_ssl()
+				&&
+				(
+					( function_exists( 'wp_get_environment_type' ) && 'local' === wp_get_environment_type() )
+					||
+					'localhost' === wp_parse_url( home_url(), PHP_URL_HOST )
+				)
+			)
 		)
 	);
 }
@@ -1522,6 +1532,7 @@ function amp_get_content_sanitizers( $post = null ) {
 		AMP_Theme_Support::TRANSITIONAL_MODE_SLUG === AMP_Options_Manager::get_option( Option::THEME_SUPPORT )
 	);
 
+	$is_dev_mode     = amp_is_dev_mode();
 	$native_img_used = amp_is_native_img_used();
 
 	$sanitizers = [
@@ -1590,7 +1601,8 @@ function amp_get_content_sanitizers( $post = null ) {
 		AMP_Accessibility_Sanitizer::class         => [],
 		// Note: This validating sanitizer must come at the end to clean up any remaining issues the other sanitizers didn't catch.
 		AMP_Tag_And_Attribute_Sanitizer::class     => [
-			'prefer_bento' => amp_is_bento_enabled(),
+			'prefer_bento'                  => amp_is_bento_enabled(),
+			'allow_localhost_http_protocol' => $is_dev_mode,
 		],
 	];
 
@@ -1651,7 +1663,7 @@ function amp_get_content_sanitizers( $post = null ) {
 	 */
 	$sanitizers = apply_filters( 'amp_content_sanitizers', $sanitizers, $post );
 
-	if ( amp_is_dev_mode() ) {
+	if ( $is_dev_mode ) {
 		/**
 		 * Filters the XPath queries for elements that should be enabled for dev mode.
 		 *

includes/sanitizers/class-amp-tag-and-attribute-sanitizer.php

@@ -92,6 +92,13 @@ class AMP_Tag_And_Attribute_Sanitizer extends AMP_Base_Sanitizer {
 	const SPECIFIED_LAYOUT_INVALID             = 'SPECIFIED_LAYOUT_INVALID';
 	const WRONG_PARENT_TAG                     = 'WRONG_PARENT_TAG';
 
+	/**
+	 * Key for localhost.
+	 *
+	 * @var string
+	 */
+	const LOCALHOST = 'localhost';
+
 	/**
 	 * Allowed tags.
 	 *
@@ -184,6 +191,7 @@ public function __construct( $dom, $args = [] ) {
 			'amp_globally_allowed_attributes' => AMP_Allowed_Tags_Generated::get_allowed_attributes(),
 			'amp_layout_allowed_attributes'   => AMP_Allowed_Tags_Generated::get_layout_attributes(),
 			'prefer_bento'                    => false,
+			'allow_localhost_http_protocol'   => false,
 		];
 
 		parent::__construct( $dom, $args );
@@ -1939,7 +1947,9 @@ private function check_attr_spec_rule_allowed_protocol( DOMElement $node, $attr_
 			if ( $node->hasAttribute( $attr_name ) ) {
 				foreach ( $this->extract_attribute_urls( $node->getAttributeNode( $attr_name ) ) as $url ) {
 					$url_scheme = $this->parse_protocol( $this->normalize_url_from_attribute_value( $url ) );
-					if ( isset( $url_scheme ) && ! in_array( strtolower( $url_scheme ), $attr_spec_rule[ AMP_Rule_Spec::VALUE_URL ][ AMP_Rule_Spec::ALLOWED_PROTOCOL ], true ) ) {
+					if ( $this->args['allow_localhost_http_protocol'] && self::LOCALHOST === wp_parse_url( $url, PHP_URL_HOST ) ) {
+						return AMP_Rule_Spec::PASS;
+					} elseif ( isset( $url_scheme ) && ! in_array( strtolower( $url_scheme ), $attr_spec_rule[ AMP_Rule_Spec::VALUE_URL ][ AMP_Rule_Spec::ALLOWED_PROTOCOL ], true ) ) {
 						return AMP_Rule_Spec::FAIL;
 					}
 				}
@@ -1951,7 +1961,9 @@ private function check_attr_spec_rule_allowed_protocol( DOMElement $node, $attr_
 					if ( $node->hasAttribute( $alternative_name ) ) {
 						foreach ( $this->extract_attribute_urls( $node->getAttributeNode( $alternative_name ), $attr_name ) as $url ) {
 							$url_scheme = $this->parse_protocol( $this->normalize_url_from_attribute_value( $url ) );
-							if ( isset( $url_scheme ) && ! in_array( strtolower( $url_scheme ), $attr_spec_rule[ AMP_Rule_Spec::VALUE_URL ][ AMP_Rule_Spec::ALLOWED_PROTOCOL ], true ) ) {
+							if ( $this->args['allow_localhost_http_protocol'] && self::LOCALHOST === wp_parse_url( $url, PHP_URL_HOST ) ) {
+								return AMP_Rule_Spec::PASS;
+							} elseif ( isset( $url_scheme ) && ! in_array( strtolower( $url_scheme ), $attr_spec_rule[ AMP_Rule_Spec::VALUE_URL ][ AMP_Rule_Spec::ALLOWED_PROTOCOL ], true ) ) {
 								return AMP_Rule_Spec::FAIL;
 							}
 						}

tests/php/test-amp-helper-functions.php

@@ -1897,6 +1897,10 @@ public function test_amp_get_content_embed_handlers() {
 	public function test_amp_is_dev_mode() {
 		AMP_Options_Manager::update_option( Option::THEME_SUPPORT, AMP_Theme_Support::STANDARD_MODE_SLUG );
 
+		// `amp_is_dev_mode()` uses `is_ssl()` so enable HTTPS, so it doesn't interfere with the usage of
+		// dev mode while showing admin bar or customizer screen.
+		$_SERVER['HTTPS'] = 'on';
+
 		$this->assertFalse( amp_is_dev_mode() );
 		add_filter( 'amp_dev_mode_enabled', '__return_true' );
 		$this->assertTrue( amp_is_dev_mode() );
@@ -1916,6 +1920,24 @@ public function test_amp_is_dev_mode() {
 		$this->assertFalse( is_user_logged_in() );
 		$this->assertTrue( is_admin_bar_showing() );
 		$this->assertFalse( amp_is_dev_mode() );
+
+		// Test on localhost with HTTP.
+		$_SERVER['HTTPS'] = false;
+
+		add_filter(
+			'home_url',
+			static function () {
+				return 'http://localhost';
+			}
+		);
+
+		$this->assertFalse( is_ssl() );
+		$this->assertTrue( amp_is_dev_mode() );
+		$this->assertTrue( 'localhost' === wp_parse_url( home_url(), PHP_URL_HOST ) );
+
+		if ( function_exists( 'wp_get_environment_type' ) ) {
+			$this->assertEquals( 'local', wp_get_environment_type() );
+		}
 	}
 
 	/**
@@ -1958,6 +1980,10 @@ public function test_amp_get_content_sanitizers() {
 		$post = self::factory()->post->create_and_get();
 		add_filter( 'amp_content_sanitizers', [ $this, 'capture_filter_call' ], 10, 2 );
 
+		// `amp_is_dev_mode()` uses `is_ssl()` so enable HTTPS, so it doesn't interfere with the usage of
+		// dev mode while showing admin bar or customizer screen.
+		$_SERVER['HTTPS'] = 'on';
+
 		$this->last_filter_call = null;
 		AMP_Options_Manager::update_option( Option::THEME_SUPPORT, AMP_Theme_Support::STANDARD_MODE_SLUG );
 		$handlers = amp_get_content_sanitizers();
@@ -2034,6 +2060,10 @@ function ( $xpaths ) use ( $element_xpaths ) {
 			}
 		);
 
+		// `amp_is_dev_mode()` uses `is_ssl()` so enable HTTPS, so it doesn't interfere with the usage of
+		// dev mode while showing admin bar or customizer screen.
+		$_SERVER['HTTPS'] = 'on';
+
 		// Check that AMP_Dev_Mode_Sanitizer is not registered if not in dev mode.
 		$sanitizers = amp_get_content_sanitizers();
 		$this->assertFalse( amp_is_dev_mode() );

tests/php/test-amp-tag-and-attribute-sanitizer-private-methods.php

@@ -5,6 +5,8 @@
 
 use AmpProject\AmpWP\Tests\Helpers\PrivateAccess;
 use AmpProject\AmpWP\Tests\TestCase;
+use AmpProject\Html\Attribute;
+use AmpProject\Validator\Spec\Tag\Html;
 
 class AMP_Tag_And_Attribute_Sanitizer_Attr_Spec_Rules_Test extends TestCase {
 
@@ -1788,6 +1790,52 @@ public function test_check_attr_spec_rule_allowed_protocol( $data, $expected ) {
 		$this->assertEquals( $expected, $got, sprintf( "using source: %s\n%s", $data['source'], wp_json_encode( $data ) ) );
 	}
 
+	/**
+	 * Test `check_attr_spec_rule_allowed_protocol()` with `allow_localhost_http_protocol` arg.
+	 *
+	 * @covers AMP_Tag_And_Attribute_Sanitizer::check_attr_spec_rule_allowed_protocol()
+	 * @group allowed-tags-private-methods
+	 */
+	public function test_check_attr_spec_rule_allowed_protocol_with_allow_localhost_http_protocol() {
+		$dom            = AMP_DOM_Utils::get_dom_from_content(
+			'<amp-autocomplete filter="substring"
+				src="http://localhost/static/samples/json/amp-autocomplete-cities.json">
+				<input>
+			</amp-autocomplete>'
+		);
+		$node           = $dom->getElementsByTagName( 'amp-autocomplete' )->item( 0 );
+		$attr           = Attribute::SRC;
+		$attr_spec_rule = [
+			'value_url' => [
+				'allow_relative' => true,
+				'protocol' => [
+					'https',
+				],
+			],
+		];
+		$sanitizer      = new AMP_Tag_And_Attribute_Sanitizer(
+			$dom,
+			[
+				'allow_localhost_http_protocol' => true,
+			]
+		);
+
+		$got = $this->call_private_method( $sanitizer, 'check_attr_spec_rule_allowed_protocol', [ $node, $attr, $attr_spec_rule ] );
+
+		$this->assertEquals( AMP_Rule_Spec::PASS, $got );
+
+		$sanitizer = new AMP_Tag_And_Attribute_Sanitizer(
+			$dom,
+			[
+				'allow_localhost_http_protocol' => false,
+			]
+		);
+
+		$got = $this->call_private_method( $sanitizer, 'check_attr_spec_rule_allowed_protocol', [ $node, $attr, $attr_spec_rule ] );
+
+		$this->assertEquals( AMP_Rule_Spec::FAIL, $got );
+	}
+
 	public function get_check_attr_spec_rule_disallowed_relative() {
 		return [
 			'no_attributes'                                 => [