Last modified: 2008-08-31 17:11:59 UTC
Created attachment 5232 [details] Patch using $wgUrlProtocols in the API formatHTML() uses a protocol whitelist to avoid protocol injections (such as javascript:, see r17105). However, this list is arbitrary. It should be detecting the same protocols accepted into the wiki ie. $wgUrlProtocols
Why was ://.*? replaced by .*? in preg_replace?
Because $wgUrlProtocols already contains the :// for the which need it (it also has protocols, such as mailto: which don't have slashes, i think supporting them is also ok).
Patch committed in r40278.