diff --git a/services/src/main/java/org/keycloak/theme/KeycloakSanitizerMethod.java b/services/src/main/java/org/keycloak/theme/KeycloakSanitizerMethod.java index f893ff4f68..b05ef66e06 100644 --- a/services/src/main/java/org/keycloak/theme/KeycloakSanitizerMethod.java +++ b/services/src/main/java/org/keycloak/theme/KeycloakSanitizerMethod.java @@ -21,6 +21,9 @@ import freemarker.template.TemplateMethodModelEx; import freemarker.template.TemplateModelException; import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + import org.owasp.html.PolicyFactory; /** @@ -41,7 +44,22 @@ public class KeycloakSanitizerMethod implements TemplateMethodModelEx { String html = list.get(0).toString(); String sanitized = KEYCLOAK_POLICY.sanitize(html); - return sanitized; + return fixURLs(sanitized); + } + + private String fixURLs(String msg) { + Pattern hrefs = Pattern.compile("href=\"([^\"]*)\""); + Matcher matcher = hrefs.matcher(msg); + int count = 0; + while(matcher.find()) { + count++; + String original = matcher.group(count); + String href = original.replaceAll("=", "=") + .replaceAll("\\.\\.", ".") + .replaceAll("&", "&"); + msg = msg.replace(original, href); + } + return msg; } } diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/MailUtils.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/MailUtils.java index 8734bd2a6a..22ff33a4cf 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/MailUtils.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/MailUtils.java @@ -61,11 +61,6 @@ public class MailUtils { final String textChangePwdUrl = getLink(body.getText()); String htmlChangePwdUrl = getLink(body.getHtml()); - // undo changes that may have been made by html sanitizer - htmlChangePwdUrl = htmlChangePwdUrl.replace("=", "="); - htmlChangePwdUrl = htmlChangePwdUrl.replace("..", "."); - htmlChangePwdUrl = htmlChangePwdUrl.replace("&", "&"); - assertEquals(htmlChangePwdUrl, textChangePwdUrl); return htmlChangePwdUrl;