From f984dd53eb0e1adbb0b009b319dddb76456edf70 Mon Sep 17 00:00:00 2001
From: Guus der Kinderen <guus.der.kinderen@gmail.com>
Date: Mon, 27 May 2024 10:21:57 +0200
Subject: [PATCH] Feed: ensure that video URL is absolute and normalized

---
 .../java/org/jivesoftware/site/FeedItem.java   | 18 ++++++++++++++++--
 .../org/jivesoftware/site/FeedItemTest.java    |  2 +-
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/jivesoftware/site/FeedItem.java b/src/main/java/org/jivesoftware/site/FeedItem.java
index 99931e12..ae0d768e 100644
--- a/src/main/java/org/jivesoftware/site/FeedItem.java
+++ b/src/main/java/org/jivesoftware/site/FeedItem.java
@@ -3,6 +3,7 @@
 import org.json.JSONArray;
 import org.json.JSONObject;
 
+import java.net.URI;
 import java.util.Date;
 
 /**
@@ -62,7 +63,16 @@ public static String replaceVideo(final String data) {
             startVideoSrc += "data-video-src=\"".length();
         }
         int endVideoSrc = data.indexOf('"', startVideoSrc);
-        final String videoSrc = data.substring(startVideoSrc, endVideoSrc);
+        String videoSrc = data.substring(startVideoSrc, endVideoSrc);
+        if (!videoSrc.startsWith("http")) {
+            videoSrc = "https://discourse.igniterealtime.org" + videoSrc;
+        }
+
+        try {
+            videoSrc = URI.create(videoSrc).normalize().toString();
+        } catch (IllegalArgumentException e) {
+            return data;
+        }
 
         // Thumbnail ('poster')
         final String videoPoster;
@@ -73,7 +83,11 @@ public static String replaceVideo(final String data) {
             if (endVideoPoster < 0) {
                 return data; // No closing quote? Sounds dodgy. Better abort.
             } else {
-                videoPoster = data.substring(startVideoPoster, endVideoPoster);
+                try {
+                    videoPoster = URI.create(data.substring(startVideoPoster, endVideoPoster)).normalize().toString();
+                } catch (IllegalArgumentException e) {
+                    return data;
+                }
             }
         } else {
             videoPoster = null;
diff --git a/src/test/java/org/jivesoftware/site/FeedItemTest.java b/src/test/java/org/jivesoftware/site/FeedItemTest.java
index 4aea7dae..44c6ebb9 100644
--- a/src/test/java/org/jivesoftware/site/FeedItemTest.java
+++ b/src/test/java/org/jivesoftware/site/FeedItemTest.java
@@ -25,7 +25,7 @@ public void testVideoReplacement()
         // Verify results.
         final String expected = "<p>We are excited to be able to announce the immediate availability of a new plugin for Openfire: XMPP Web!</p>\n" +
             "<p>This new plugin for the real-time communications server provided by the <a href=\"https://www.igniterealtime.org/\">Ignite Realtime community</a> allows you to install the third-party webclient named ‘<a href=\"https://github.com/nioc/xmpp-web\">XMPP Web</a>’ in mere seconds! By installing this new plugin, the web client is immediately ready for use.</p>\n" +
-            "<p></p><video width=\"696\" poster=\"https://discourse.igniterealtime.org/uploads/default/original/2X/0/098bfee9e4e77052a15f0a17ddcf06008bd341c9.png\" controls><source src=\"/uploads/default/original/2X/5/5a21cdad5c5e2053c693aa7734a48f684879b63f.mp4\"/>Unable to show a video. <a href=\"/uploads/default/original/2X/5/5a21cdad5c5e2053c693aa7734a48f684879b63f.mp4\">Download the video</a></video><p></p>\n" +
+            "<p></p><video width=\"696\" poster=\"https://discourse.igniterealtime.org/uploads/default/original/2X/0/098bfee9e4e77052a15f0a17ddcf06008bd341c9.png\" controls><source src=\"https://discourse.igniterealtime.org/uploads/default/original/2X/5/5a21cdad5c5e2053c693aa7734a48f684879b63f.mp4\"/>Unable to show a video. <a href=\"https://discourse.igniterealtime.org/uploads/default/original/2X/5/5a21cdad5c5e2053c693aa7734a48f684879b63f.mp4\">Download the video</a></video><p></p>\n" +
             "<p>This new plugin compliments others that similarly allow to deploy a web client with great ease, like <a href=\"https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=candy\">Candy</a>, <a href=\"https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=inverse\">inVerse</a> and <a href=\"https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=jsxc\">JSXC</a>! With the addition of XMPP Web, the selection of easy-to-install clients for your users to use becomes even larger!</p>\n" +
             "<p>The XMPP Web plugin for Openfire is based on release 0.10.2 of the upstream project, which currently is the latest release. It will automatically become available for installation in the admin console of your Openfire server in the next few days. Alternatively, you can download it immediately from its archive page.</p>\n" +
             "<p>Do you think this is a good addition to the suite of plugins? Do you have any questions or concerns? Do you just want to say hi? Please stop by our <a href=\"https://discourse.igniterealtime.org/\">community forum</a> or our <a href=\"https://www.igniterealtime.org/support/group_chat.jsp\">live groupchat</a>!</p>\n" +