fix unsafe urls stripping

2 files changed, 12 insertions, 9 deletions

diff --git a/juick-common/src/main/java/com/juick/util/MessageUtils.java b/juick-common/src/main/java/com/juick/util/MessageUtils.java
index 5a4b05ca..c9796809 100644
--- a/juick-common/src/main/java/com/juick/util/MessageUtils.java
+++ b/juick-common/src/main/java/com/juick/util/MessageUtils.java
@@ -57,8 +57,12 @@ public class MessageUtils {
         return result;
     }
 
-    private final static String regexUrl =
-            "((?<=\\s)|(?<=\\A))((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\n\\\"]+)/?[^\\s\\n\\\"]*)";
+    private final static String urlWhiteSpacePrefix = "((?<=\\s)|(?<=\\A))";
+
+    private final static String urlRegex = "((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\n\\\"]+)/?[^\\s\\n\\\"\\>]*)";
+
+    private final static String urlWithWhitespacesRegex =
+            urlWhiteSpacePrefix + urlRegex;
 
     private final static Pattern regexLinks2 = Pattern.compile("((?<=\\s)|(?<=\\A))([\\[\\{]|&lt;)((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\\"\\)\\!]+)/?(?:[^\\]\\}](?<!&gt;))*)([\\]\\}]|&gt;)");
 
@@ -69,7 +73,7 @@ public class MessageUtils {
 
         // http://juick.com/last?page=2
         // <a href="http://juick.com/last?page=2" rel="nofollow">http://juick.com/last?page=2</a>
-        msg = msg.replaceAll(regexUrl, "$1<a href=\"$2\" rel=\"nofollow\">$2</a>");
+        msg = msg.replaceAll(urlWithWhitespacesRegex, "$1<a href=\"$2\" rel=\"nofollow\">$2</a>");
 
         // (http://juick.com/last?page=2)
         // (<a href="http://juick.com/last?page=2" rel="nofollow">http://juick.com/last?page=2</a>)
@@ -96,7 +100,7 @@ public class MessageUtils {
 
         // http://juick.com/last?page=2
         // <a href="http://juick.com/last?page=2" rel="nofollow">juick.com</a>
-        msg = msg.replaceAll(regexUrl, "$1<a href=\"$2\" rel=\"nofollow\">$3</a>");
+        msg = msg.replaceAll(urlWithWhitespacesRegex, "$1<a href=\"$2\" rel=\"nofollow\">$3</a>");
 
         // [link text][http://juick.com/last?page=2]
         // <a href="http://juick.com/last?page=2" rel="nofollow">link text</a>
@@ -276,7 +280,7 @@ public class MessageUtils {
 
     public static String stripNonSafeUrls(String input) {
         // strip login urls
-        Matcher urlMatcher = Pattern.compile(MessageUtils.regexUrl).matcher(input);
+        Matcher urlMatcher = Pattern.compile(MessageUtils.urlRegex).matcher(input);
         while (urlMatcher.find()) {
             URI uri = URI.create(urlMatcher.group(0));
             if (uri.getHost().equals("juick.com")) {
diff --git a/juick-server/src/test/java/com/juick/server/tests/ServerTests.java b/juick-server/src/test/java/com/juick/server/tests/ServerTests.java
index be81212b..177ced5e 100644
--- a/juick-server/src/test/java/com/juick/server/tests/ServerTests.java
+++ b/juick-server/src/test/java/com/juick/server/tests/ServerTests.java
@@ -797,11 +797,10 @@ public class ServerTests {
         result = commandsManager.processCommand(user, String.format("#%d *one *two *three *four *five *six", msg.getMid()), emptyUri);
         assertThat(result.getNewMessage(), is(Optional.empty()));
         assertThat(result.getText(), is("Tags are NOT updated (5 tags maximum?)"));
-        result = commandsManager.processCommand(user, "I'm very smart to post my login url there: " +
-                "https://juick.com/settings?hash=VTYZkKV8FWkmu6g1", emptyUri);
+        result = commandsManager.processCommand(user, "I'm very smart to post my login url there" +
+                "<https://juick.com/settings?hash=VTYZkKV8FWkmu6g1>", emptyUri);
         assertThat(result.getNewMessage().isPresent(), is(true));
-        assertThat(result.getNewMessage().get().getText(), is("I'm very smart to post my login url there: " +
-                "https://juick.com/settings"));
+        assertFalse(result.getNewMessage().get().getText().contains("VTYZkKV8FWkmu6g1"));
         result = commandsManager.processCommand(user, "*корм *juick_ppl *рационализм *? *мюсли а сколько микроморт в дневной порции сверхмюслей?", emptyUri);
         assertTrue(result.getNewMessage().isPresent());
     }