-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
4.3.7, 5.0, 5.1, 5.8.4
-
22
-
Severity 3 - Minor
-
3
-
The allowable protocols for external links was expanded in this task: https://jira.atlassian.com/browse/CONF-24665
The regex used is still too restrictive for some customers. And should be expanded to match the allowable characters as per the RFC whilst continuing to restrict dangerous protocols.
Workaround
- Find <confluence_install>/confluence/WEB-INF/lib/confluence-4.x.x.jar and extract the contents of this file somewhere
- Locate and edit com/atlassian/confluence/content/render/xhtml/antisamy-confluence-storage.xml
- Around line 54 or so there should be a regex matching file, smb, irc, etc, similar to the following line:
<regexp name="offsiteURL" value="(\s)*(((ht|f)tp(s?)|file|smb|irc|news|nntp|feed|cvs|git|svn|mvn|ssh|itms|notes)://|mailto:)[\p{L}\p{N}/]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&;:\-_~,\?=/!\(\)]*(\s)*" />
- Add the desired protocol to this list (e.g. 'hansoft' or 'exp2') to this list and save. Should look like this
<regexp name="offsiteURL" value="(\s)*(((ht|f)tp(s?)|file|smb|irc|news|nntp|feed|cvs|git|svn|mvn|ssh|itms|notes)://|mailto:|exp2:)[\p{L}\p{N}/]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&;:\-_~,\?=/!\(\)]*(\s)*" />
- Place the modified XML file in the following directory: <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/content/render/xhtml/ (create the directories if they do not exist)
- Restart Confluence
Please note that allowing Confluence to save/render more link types can be a potential security risk. Additionally, this workaround is not a supported operation and may not be applicable to future upgrades as the product changes.
Workaround with Collaborative Editing On
- In addition to the steps above, as of 6.2.2, it's possible to do the following
- Find <confluence_install>/confluence/WEB-INF/atlassian-bundled-plugins/confluence-collaborative-editor-plugin-x.y.z.jar
- Create a backup of the jar somewhere in a different directory.
- Extract the contents and locate the two files js/util/is-valid-uri.js and js/util/is-valid-uri-min.js.
- In both files, locate the list of allowed protocols (you can search for mailto: for example), and add the required protocols to that list separated by |. Proper JS Regex escaping is required here, so if the protocol is my-protocol1:// for example, it should be entered as
my-protocol1:\\/\\/
- Repackage the jar
- Backup and the Plugin Cache directories
- Clear out the Plugin Cache directories
- Backup <confluence-install>/temp folder
- Clear out the contents of the <confluence-install>/temp folder (make sure the folder still exists)
- Start Confluence
Please note that allowing Confluence to save/render more link types can be a potential security risk. Additionally, this workaround is not a supported operation and may not be applicable to future upgrades as the product changes.
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
[CONFSERVER-28103] Expand external links security filtering to allow digits, plus, hyphen and periods in protocol
We don't need the vendor telling us what prefixes are acceptable, I use Confluence Cloud and I can't open winscp-sftp:// or sftp:// and since there's no admin panel to add my allowed prefixes and I can't edit server files manually I am resigned to just being angry and disappointed at Atlassian because this issue has been raised since the early 2010s and it's STILL not properly implemented.
This doesn't need to suck, it just does because someone thinks that frustrating the type of users who are responsible for choosing and implementing a Wiki solution by not addressing a decade-old issue that specifically negatively impacts that type of user is somehow a good idea.
The workaround no longer seems to work with confluence 7.1.0 (possibly 7.x). If I modify the <confluence_install>/confluence/WEB-INF/atlassian-bundled-plugins/confluence-collaborative-editor-plugin-x.y.z.jar as referenced above and repackage it, confluence shows it as modified and the plugin fails to load. The lack of personal drafts in 7.x means we have to have synchrony running to be able to effectively use the product, but turning it on with the default regex would lead to data loss when editing pages. Suggestions on how to proceed?
I vote for the tel: protocol link as our whole company has switched to internet phone so no landline anymore. Its quite common on normal web-site to have links which work with the installed communicator app. We are using Circuit which works quite well that way.
Only on our Confluence wiki we are still out of the function.
Time for a mind change?
Patching the system as described in the workaround is no option for us and due to security reason the HTML macros are deactivated. We are running an enterprise installation.
Ray Schmidt
added a comment - Is it possible to make this an configurable option in the software and then everyone can add his own needed protocol.
Ray Schmidt
added a comment - Is it possible to make this an configurable option in the software and then everyone can add his own needed protocol. A customer has requested that we add "elodms:" in the default list of allowable protocols for external links. ELO is a Enterprise Content Management from ELO Digital Office GmbH in Germany and also used world wide.
asasko, I am not aware of any work to allow additional protocols in Confluence Cloud.
Issue is known since the year 2013 without solution from Atlassian. Please resolve this Bug. Thanks.
Hello! Just voicing my support for getting a way to configure this for Confluence Cloud instances.
Our company has an internal tool relying on custom-protocol links and being able to share these links in our Confluence-based documentation would be a huge deal.