From 3edf1e2f21ed5af5586274c229bd78b3d07980cf Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Mon, 2 Jul 2018 14:20:35 +0200
Subject: [PATCH] Added support for the `steam://` protocol, unified schema
 processing

---
 .../3rdParty/redactor2/plugins/WoltLabLink.js |  4 ++--
 .../filter/HTMLPurifier_URIScheme_steam.php   | 22 +++++++++++++++++++
 .../filter/MessageHtmlInputFilter.class.php   |  2 ++
 .../converter/UrlMetacodeConverter.class.php  | 20 +++++++++++++++++
 4 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 wcfsetup/install/files/lib/system/html/input/filter/HTMLPurifier_URIScheme_steam.php

diff --git a/wcfsetup/install/files/js/3rdParty/redactor2/plugins/WoltLabLink.js b/wcfsetup/install/files/js/3rdParty/redactor2/plugins/WoltLabLink.js
index de68d1c3fa..6805cbef00 100644
--- a/wcfsetup/install/files/js/3rdParty/redactor2/plugins/WoltLabLink.js
+++ b/wcfsetup/install/files/js/3rdParty/redactor2/plugins/WoltLabLink.js
@@ -10,8 +10,8 @@ $.Redactor.prototype.WoltLabLink = function() {
 				// WoltLab modification: prevent catastrophic backtracing
 				var pattern = '((xn--)?[\\W\\w\\D\\d]+(-(?!-[\\W\\w\\D\\d])+)*\\.)+[\\W\\w]{2,}';
 				
-				// WoltLab modification: added `ts3server`
-				var re1 = new RegExp('^(http|ftp|https|ts3server)://' + pattern, 'i');
+				// WoltLab modification: added `steam` and `ts3server`
+				var re1 = new RegExp('^(http|ftp|https|steam|ts3server)://' + pattern, 'i');
 				var re2 = new RegExp('^' + pattern, 'i');
 				var re3 = new RegExp('\.(html|php)$', 'i');
 				var re4 = new RegExp('^/', 'i');
diff --git a/wcfsetup/install/files/lib/system/html/input/filter/HTMLPurifier_URIScheme_steam.php b/wcfsetup/install/files/lib/system/html/input/filter/HTMLPurifier_URIScheme_steam.php
new file mode 100644
index 0000000000..92e7043636
--- /dev/null
+++ b/wcfsetup/install/files/lib/system/html/input/filter/HTMLPurifier_URIScheme_steam.php
@@ -0,0 +1,22 @@
+<?php
+// @codingStandardsIgnoreFile
+/**
+ * Steam direct join protocol
+ */
+class HTMLPurifier_URIScheme_steam extends HTMLPurifier_URIScheme
+{
+    /**
+     * @param HTMLPurifier_URI $uri
+     * @param HTMLPurifier_Config $config
+     * @param HTMLPurifier_Context $context
+     * @return bool
+     */
+    public function doValidate(&$uri, $config, $context)
+    {
+        $uri->userinfo = null;
+        
+        return true;
+    }
+}
+
+// vim: et sw=4 sts=4
diff --git a/wcfsetup/install/files/lib/system/html/input/filter/MessageHtmlInputFilter.class.php b/wcfsetup/install/files/lib/system/html/input/filter/MessageHtmlInputFilter.class.php
index 7bf4884ac2..3d5bdcf516 100644
--- a/wcfsetup/install/files/lib/system/html/input/filter/MessageHtmlInputFilter.class.php
+++ b/wcfsetup/install/files/lib/system/html/input/filter/MessageHtmlInputFilter.class.php
@@ -42,6 +42,7 @@ class MessageHtmlInputFilter implements IHtmlInputFilter {
 	 */
 	protected function getPurifier() {
 		if (self::$purifier === null) {
+			require_once(WCF_DIR . 'lib/system/html/input/filter/HTMLPurifier_URIScheme_steam.php');
 			require_once(WCF_DIR . 'lib/system/html/input/filter/HTMLPurifier_URIScheme_ts3server.php');
 			
 			$config = \HTMLPurifier_Config::createDefault();
@@ -54,6 +55,7 @@ class MessageHtmlInputFilter implements IHtmlInputFilter {
 			$config->set('HTML.ForbiddenAttributes', ['*@lang', '*@xml:lang']);
 			
 			$allowedSchemes = $config->get('URI.AllowedSchemes');
+			$allowedSchemes['steam'] = true;
 			$allowedSchemes['ts3server'] = true;
 			$config->set('URI.AllowedSchemes', $allowedSchemes);
 			
diff --git a/wcfsetup/install/files/lib/system/html/metacode/converter/UrlMetacodeConverter.class.php b/wcfsetup/install/files/lib/system/html/metacode/converter/UrlMetacodeConverter.class.php
index 5742faaf51..029894b7f5 100644
--- a/wcfsetup/install/files/lib/system/html/metacode/converter/UrlMetacodeConverter.class.php
+++ b/wcfsetup/install/files/lib/system/html/metacode/converter/UrlMetacodeConverter.class.php
@@ -12,6 +12,12 @@ use wcf\util\StringUtil;
  * @since       3.0
  */
 class UrlMetacodeConverter extends AbstractMetacodeConverter {
+	/**
+	 * list of allowed schemas as defined by HTMLPurifier
+	 * @var string[] 
+	 */
+	public static $allowedSchemes = ['http', 'https', 'mailto', 'ftp', 'nntp', 'news', 'tel', 'steam', 'ts3server'];
+	
 	/**
 	 * @inheritDoc
 	 */
@@ -24,6 +30,20 @@ class UrlMetacodeConverter extends AbstractMetacodeConverter {
 		}
 		
 		$href = StringUtil::decodeHTML($href);
+		if (mb_strpos($href, '//') === 0) {
+			// dynamic protocol, treat as https
+			$href = "https:{$href}";
+		}
+		else if (preg_match('~^(?P<schema>[a-z0-9]+)://~', $href, $match)) {
+			if (!in_array($match['schema'], self::$allowedSchemes)) {
+				// invalid schema, replace it with `http`
+				$href = 'http' . mb_substr($href, strlen($match['schema']));
+			}
+		}
+		else if (mb_strpos($href, 'index.php') === false) {
+			// unless it's a relative `index.php` link, assume it is missing the protocol
+			$href = "http://{$href}";
+		}
 		
 		// check if the link is empty, use the href value instead
 		$useHrefAsValue = false;
-- 
2.20.1