Feed: ensure that video URL is absolute and normalized

igniterealtime · May 27, 2024 · f984dd5 · f984dd5
1 parent c9356a2
commit f984dd5
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/src/main/java/org/jivesoftware/site/FeedItem.java b/src/main/java/org/jivesoftware/site/FeedItem.java
@@ -3,6 +3,7 @@
 import org.json.JSONArray;
 import org.json.JSONObject;
 
+import java.net.URI;
 import java.util.Date;
 
 /**
@@ -62,7 +63,16 @@ public static String replaceVideo(final String data) {
             startVideoSrc += "data-video-src=\"".length();
         }
         int endVideoSrc = data.indexOf('"', startVideoSrc);
-        final String videoSrc = data.substring(startVideoSrc, endVideoSrc);
+        String videoSrc = data.substring(startVideoSrc, endVideoSrc);
+        if (!videoSrc.startsWith("http")) {
+            videoSrc = "https://discourse.igniterealtime.org" + videoSrc;
+        }
+
+        try {
+            videoSrc = URI.create(videoSrc).normalize().toString();
+        } catch (IllegalArgumentException e) {
+            return data;
+        }
 
         // Thumbnail ('poster')
         final String videoPoster;
@@ -73,7 +83,11 @@ public static String replaceVideo(final String data) {
             if (endVideoPoster < 0) {
                 return data; // No closing quote? Sounds dodgy. Better abort.
             } else {
-                videoPoster = data.substring(startVideoPoster, endVideoPoster);
+                try {
+                    videoPoster = URI.create(data.substring(startVideoPoster, endVideoPoster)).normalize().toString();
+                } catch (IllegalArgumentException e) {
+                    return data;
+                }
             }
         } else {
             videoPoster = null;

diff --git a/src/test/java/org/jivesoftware/site/FeedItemTest.java b/src/test/java/org/jivesoftware/site/FeedItemTest.java
@@ -25,7 +25,7 @@ public void testVideoReplacement()
         // Verify results.
         final String expected = "<p>We are excited to be able to announce the immediate availability of a new plugin for Openfire: XMPP Web!</p>\n" +
             "<p>This new plugin for the real-time communications server provided by the <a href=\"https://www.igniterealtime.org/\">Ignite Realtime community</a> allows you to install the third-party webclient named ‘<a href=\"https://github.com/nioc/xmpp-web\">XMPP Web</a>’ in mere seconds! By installing this new plugin, the web client is immediately ready for use.</p>\n" +
-            "<p></p><video width=\"696\" poster=\"https://discourse.igniterealtime.org/uploads/default/original/2X/0/098bfee9e4e77052a15f0a17ddcf06008bd341c9.png\" controls><source src=\"/uploads/default/original/2X/5/5a21cdad5c5e2053c693aa7734a48f684879b63f.mp4\"/>Unable to show a video. <a href=\"/uploads/default/original/2X/5/5a21cdad5c5e2053c693aa7734a48f684879b63f.mp4\">Download the video</a></video><p></p>\n" +
+            "<p></p><video width=\"696\" poster=\"https://discourse.igniterealtime.org/uploads/default/original/2X/0/098bfee9e4e77052a15f0a17ddcf06008bd341c9.png\" controls><source src=\"https://discourse.igniterealtime.org/uploads/default/original/2X/5/5a21cdad5c5e2053c693aa7734a48f684879b63f.mp4\"/>Unable to show a video. <a href=\"https://discourse.igniterealtime.org/uploads/default/original/2X/5/5a21cdad5c5e2053c693aa7734a48f684879b63f.mp4\">Download the video</a></video><p></p>\n" +
             "<p>This new plugin compliments others that similarly allow to deploy a web client with great ease, like <a href=\"https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=candy\">Candy</a>, <a href=\"https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=inverse\">inVerse</a> and <a href=\"https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=jsxc\">JSXC</a>! With the addition of XMPP Web, the selection of easy-to-install clients for your users to use becomes even larger!</p>\n" +
             "<p>The XMPP Web plugin for Openfire is based on release 0.10.2 of the upstream project, which currently is the latest release. It will automatically become available for installation in the admin console of your Openfire server in the next few days. Alternatively, you can download it immediately from its archive page.</p>\n" +
             "<p>Do you think this is a good addition to the suite of plugins? Do you have any questions or concerns? Do you just want to say hi? Please stop by our <a href=\"https://discourse.igniterealtime.org/\">community forum</a> or our <a href=\"https://www.igniterealtime.org/support/group_chat.jsp\">live groupchat</a>!</p>\n" +