diff options
author | Vitaly Takmazov | 2018-05-17 22:26:14 +0300 |
---|---|---|
committer | Vitaly Takmazov | 2018-05-17 22:26:14 +0300 |
commit | c3f5d83b7beed8a523b8a851df742ef028de5efd (patch) | |
tree | 4ec9f404c8bd4383e37f3b7bfe342fd01ca0ceb1 /juick-common/src | |
parent | ed2e863fe4acfdb5015b5514c3219bef8c215ff3 (diff) |
fix unsafe urls stripping
Diffstat (limited to 'juick-common/src')
-rw-r--r-- | juick-common/src/main/java/com/juick/util/MessageUtils.java | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/juick-common/src/main/java/com/juick/util/MessageUtils.java b/juick-common/src/main/java/com/juick/util/MessageUtils.java index 5a4b05ca..c9796809 100644 --- a/juick-common/src/main/java/com/juick/util/MessageUtils.java +++ b/juick-common/src/main/java/com/juick/util/MessageUtils.java @@ -57,8 +57,12 @@ public class MessageUtils { return result; } - private final static String regexUrl = - "((?<=\\s)|(?<=\\A))((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\n\\\"]+)/?[^\\s\\n\\\"]*)"; + private final static String urlWhiteSpacePrefix = "((?<=\\s)|(?<=\\A))"; + + private final static String urlRegex = "((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\n\\\"]+)/?[^\\s\\n\\\"\\>]*)"; + + private final static String urlWithWhitespacesRegex = + urlWhiteSpacePrefix + urlRegex; private final static Pattern regexLinks2 = Pattern.compile("((?<=\\s)|(?<=\\A))([\\[\\{]|<)((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\\"\\)\\!]+)/?(?:[^\\]\\}](?<!>))*)([\\]\\}]|>)"); @@ -69,7 +73,7 @@ public class MessageUtils { // http://juick.com/last?page=2 // <a href="http://juick.com/last?page=2" rel="nofollow">http://juick.com/last?page=2</a> - msg = msg.replaceAll(regexUrl, "$1<a href=\"$2\" rel=\"nofollow\">$2</a>"); + msg = msg.replaceAll(urlWithWhitespacesRegex, "$1<a href=\"$2\" rel=\"nofollow\">$2</a>"); // (http://juick.com/last?page=2) // (<a href="http://juick.com/last?page=2" rel="nofollow">http://juick.com/last?page=2</a>) @@ -96,7 +100,7 @@ public class MessageUtils { // http://juick.com/last?page=2 // <a href="http://juick.com/last?page=2" rel="nofollow">juick.com</a> - msg = msg.replaceAll(regexUrl, "$1<a href=\"$2\" rel=\"nofollow\">$3</a>"); + msg = msg.replaceAll(urlWithWhitespacesRegex, "$1<a href=\"$2\" rel=\"nofollow\">$3</a>"); // [link text][http://juick.com/last?page=2] // <a href="http://juick.com/last?page=2" rel="nofollow">link text</a> @@ -276,7 +280,7 @@ public class MessageUtils { public static String stripNonSafeUrls(String input) { // strip login urls - Matcher urlMatcher = Pattern.compile(MessageUtils.regexUrl).matcher(input); + Matcher urlMatcher = Pattern.compile(MessageUtils.urlRegex).matcher(input); while (urlMatcher.find()) { URI uri = URI.create(urlMatcher.group(0)); if (uri.getHost().equals("juick.com")) { |