diff options
| author | Dries Buytaert <dries@buytaert.net> | 2007-01-09 08:30:31 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2007-01-09 08:30:31 +0000 |
| commit | 3e8a9d1905c3110a4e7ac18044f477c60b02e098 (patch) | |
| tree | 0b9fcb15165fb8cc9957b6719423d5cbec556654 /includes/common.inc | |
| parent | 250d0d0299ee25547a7c9636585501b7485d165f (diff) | |
| download | brdo-3e8a9d1905c3110a4e7ac18044f477c60b02e098.tar.gz brdo-3e8a9d1905c3110a4e7ac18044f477c60b02e098.tar.bz2 | |
- Cleanup form attributes.
Diffstat (limited to 'includes/common.inc')
| -rw-r--r-- | includes/common.inc | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/includes/common.inc b/includes/common.inc index 31474eb5c..b55384e2a 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -1142,8 +1142,9 @@ function url($path = NULL, $query = NULL, $fragment = NULL, $absolute = FALSE) { } // Return an external link if $path contains an allowed absolute URL. - // Only call the slow filter_xss_bad_protocol if $path contains a ':'. - if (strpos($path, ':') !== FALSE && filter_xss_bad_protocol($path, FALSE) == check_plain($path)) { + // Only call the slow filter_xss_bad_protocol if $path contains a ':' before any / ? or #. + $colonpos = strpos($path, ':'); + if ($colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path)) { // Split off the fragment if (strpos($path, '#') !== FALSE) { list($path, $old_fragment) = explode('#', $path, 2); |