Index: openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl,v diff -u -r1.109.2.49 -r1.109.2.50 --- openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl 18 Mar 2024 13:13:13 -0000 1.109.2.49 +++ openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl 19 Mar 2024 10:46:18 -0000 1.109.2.50 @@ -1750,6 +1750,32 @@ # set url [ns_unquotehtml $url] + # + # Another trick seen by e.g. penetration tools + # is to try and sneak in URLs sporting + # multiple protocols. We reject those + # altogether. + # + if {![regexp -nocase {^([a-z]+:){2,}} $url]} { + # + # A normal "0 or 1 protocols" URL + # + } elseif {$validate_p} { + # + # Multi-protocol URL and we are + # validating. This HTML is invalid. + # + return 0 + } else { + # + # Multi-protocol URL and we are + # sanitizing. Remove it from the + # result. + # + $node removeAttribute $att + continue + } + set proto "" try { set parsed_url [ns_parseurl $url]