Expand external links security filtering to allow digits, plus, hyphen and periods in protocol

The allowable protocols for external links was expanded in this task: https://jira.atlassian.com/browse/CONF-24665

The regex used is still too restrictive for some customers. And should be expanded to match the allowable characters as per the RFC whilst continuing to restrict dangerous protocols.

Workaround

1. Find <confluence_install>/confluence/WEB-INF/lib/confluence-4.x.x.jar and extract the contents of this file somewhere
2. Locate and edit com/atlassian/confluence/content/render/xhtml/antisamy-confluence-storage.xml
3. Around line 54 or so there should be a regex matching file, smb, irc, etc, similar to the following line:

   <regexp name="offsiteURL"
               value="(\s)*(((ht|f)tp(s?)|file|smb|irc|news|nntp|feed|cvs|git|svn|mvn|ssh|itms|notes)://|mailto:)[\p{L}\p{N}/]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&amp;;:\-_~,\?=/!\(\)]*(\s)*" />
   

4. Add the desired protocol to this list (e.g. 'hansoft' or 'exp2') to this list and save. Should look like this

   <regexp name="offsiteURL"
               value="(\s)*(((ht|f)tp(s?)|file|smb|irc|news|nntp|feed|cvs|git|svn|mvn|ssh|itms|notes)://|mailto:|exp2:)[\p{L}\p{N}/]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&amp;;:\-_~,\?=/!\(\)]*(\s)*" />
   

5. Place the modified XML file in the following directory: <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/content/render/xhtml/ (create the directories if they do not exist)
6. Restart Confluence

Please note that allowing Confluence to save/render more link types can be a potential security risk. Additionally, this workaround is not a supported operation and may not be applicable to future upgrades as the product changes.

Workaround with Collaborative Editing On

1. In addition to the steps above, as of 6.2.2, it's possible to do the following
2. Find <confluence_install>/confluence/WEB-INF/atlassian-bundled-plugins/confluence-collaborative-editor-plugin-x.y.z.jar
3. Create a backup of the jar somewhere in a different directory.
4. Extract the contents and locate the two files js/util/is-valid-uri.js and js/util/is-valid-uri-min.js.
5. In both files, locate the list of allowed protocols (you can search for mailto: for example), and add the required protocols to that list separated by |. Proper JS Regex escaping is required here, so if the protocol is my-protocol1:// for example, it should be entered as

   my-protocol1:\\/\\/

6. Repackage the jar
7. Backup and the Plugin Cache directories
8. Clear out the Plugin Cache directories
9. Backup <confluence-install>/temp folder
10. Clear out the contents of the <confluence-install>/temp folder (make sure the folder still exists)
11. Start Confluence

Please note that allowing Confluence to save/render more link types can be a potential security risk. Additionally, this workaround is not a supported operation and may not be applicable to future upgrades as the product changes.