Index: openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl,v
diff -u -N -r1.109.2.4 -r1.109.2.5
--- openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl	31 Mar 2019 11:17:59 -0000	1.109.2.4
+++ openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl	3 Jul 2019 18:12:25 -0000	1.109.2.5
@@ -802,9 +802,10 @@
 
     ad_proc ad_html_security_check { html } {
 
-        Returns a human-readable explanation if the user has used any HTML
-        tag other than the ones marked allowed in antispam section of ad.ini.
-        Otherwise returns an empty string.
+        Returns a human-readable explanation if the user has used any
+        HTML tag other than the ones marked allowed in antispam
+        section of the kernel parameters.  Otherwise returns an empty
+        string.
 
         @return a human-readable, plaintext explanation of what's wrong with the user's input.
 
@@ -878,7 +879,8 @@
                         }
 
                         if { [string tolower $attr_name] ne "style" } {
-                            if { [regexp {^\s*([^\s:]+):\/\/} $attr_value match protocol] } {
+                            if { [regexp {^\s*(([^\s:]+):\/\/|(data|javascript))} $attr_value match . p1 p2] } {
+                                set protocol [expr {$p1 ne "" ? $p1 : $p2}]
                                 if { ![info exists allowed_protocol([string tolower $protocol])]
                                      && ![info exists allowed_protocol(*)] } {
                                     return "Your URLs can only use these protocols: [join $allowed_protocols_list ", "].