From 4df162d929c5e6dd397c0ca68bb6a6e5292dbee1 Mon Sep 17 00:00:00 2001 From: Matthew Exon Date: Fri, 8 Mar 2013 08:38:25 +0100 Subject: [PATCH] Explicitly list protocols that are allowed, rather than using their initials. Also, add cid, which I need for my mailstream plugin to work. --- include/bbcode.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/bbcode.php b/include/bbcode.php index ebed0dbb25..01c8f14df9 100644 --- a/include/bbcode.php +++ b/include/bbcode.php @@ -643,7 +643,7 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal // fix any escaped ampersands that may have been converted into links $Text = preg_replace("/\<([^>]*?)(src|href)=(.*?)\&\;(.*?)\>/ism",'<$1$2=$3&$4>',$Text); - $Text = preg_replace("/\<([^>]*?)(src|href)=\"[^hfm](.*?)\>/ism",'<$1$2="">',$Text); + $Text = preg_replace("/\<([^>]*?)(src|href)=\"(?!http|ftp|mailto|cid)(.*?)\>/ism",'<$1$2="">',$Text); if($saved_image) $Text = bb_replace_images($Text, $saved_image);