2 files changed, 12 insertions, 5 deletions

diff --git a/modules/filter/filter.module b/modules/filter/filter.module
index 5ad6da298..d0359c182 100644
--- a/modules/filter/filter.module
+++ b/modules/filter/filter.module
@@ -1474,19 +1474,26 @@ function filter_xss_bad_protocol($string, $decode = TRUE) {
     $allowed_protocols = array_flip(variable_get('filter_allowed_protocols', array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'mailto', 'irc', 'ssh', 'sftp', 'webcal')));
   }
 
-  // Get the plain text representation of the attribute value (i.e. its meaning)
+  // Get the plain text representation of the attribute value (i.e. its meaning).
   if ($decode) {
     $string = decode_entities($string);
   }
-  // Remove soft hyphen
-  $string = str_replace(chr(194) . chr(173), '', $string);
-  // Strip protocols
+
+  // Iteratively remove any invalid protocol found.
 
   do {
     $before = $string;
     $colonpos = strpos($string, ':');
     if ($colonpos > 0) {
+      // We found a colon, possibly a protocol. Verify.
       $protocol = substr($string, 0, $colonpos);
+      // If a colon is preceded by a slash, question mark or hash, it cannot
+      // possibly be part of the URL scheme. This must be a relative URL,
+      // which inherits the (safe) protocol of the base document.
+      if (preg_match('![/?#]!', $protocol)) {
+        break;
+      }
+      // Check if this is a disallowed protocol.
       if (!isset($allowed_protocols[$protocol])) {
         $string = substr($string, $colonpos + 1);
       }
diff --git a/modules/system/system.install b/modules/system/system.install
index cda02552d..282457bf0 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -3486,7 +3486,7 @@ function system_update_1020() {
     $ret[] = update_sql("UPDATE {node_revisions} SET body = REPLACE(body, '<break>', '<!--break-->')");
   }
   variable_del('update_1020_ok');
-  return $ret;    
+  return $ret;
 }