Explicitly list protocols that are allowed, rather than using their initials. Also...

author Matthew Exon <github.mexon@spamgourmet.com>

Fri, 8 Mar 2013 07:38:25 +0000 (08:38 +0100)

committer Matthew Exon <git.mexon@spamgourmet.com>

Sat, 9 Mar 2013 07:57:40 +0000 (15:57 +0800)
author Matthew Exon <github.mexon@spamgourmet.com>
Fri, 8 Mar 2013 07:38:25 +0000 (08:38 +0100)
committer Matthew Exon <git.mexon@spamgourmet.com>
Sat, 9 Mar 2013 07:57:40 +0000 (15:57 +0800)
diff --git a/include/bbcode.php b/include/bbcode.php

index ebed0dbb255b60da06dd387f907de0c693193736..01c8f14df9f1ee9f26784e1fad3531719ecf64da 100644 (file)
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -643,7 +643,7 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal
  
         // fix any escaped ampersands that may have been converted into links
         $Text = preg_replace("/\<([^>]*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism",'<$1$2=$3&$4>',$Text);
-       $Text = preg_replace("/\<([^>]*?)(src|href)=\"[^hfm](.*?)\>/ism",'<$1$2="">',$Text);
+       $Text = preg_replace("/\<([^>]*?)(src|href)=\"(?!http|ftp|mailto|cid)(.*?)\>/ism",'<$1$2="">',$Text);
  
         if($saved_image)
                 $Text = bb_replace_images($Text, $saved_image);
author	Matthew Exon <github.mexon@spamgourmet.com>
	Fri, 8 Mar 2013 07:38:25 +0000 (08:38 +0100)
committer	Matthew Exon <git.mexon@spamgourmet.com>
	Sat, 9 Mar 2013 07:57:40 +0000 (15:57 +0800)