Index: openacs-4/packages/acs-tcl/tcl/00-canisue-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/Attic/00-canisue-procs.tcl,v
diff -u -N -r1.1.2.2 -r1.1.2.3
--- openacs-4/packages/acs-tcl/tcl/00-canisue-procs.tcl	14 Jun 2019 10:44:27 -0000	1.1.2.2
+++ openacs-4/packages/acs-tcl/tcl/00-canisue-procs.tcl	3 Jul 2019 18:12:25 -0000	1.1.2.3
@@ -73,6 +73,7 @@
 ::acs::register_icanuse "ns_conn partialtimes" [acs::icanuse "ns_server ummap"]
 
 ::acs::register_icanuse "ns_asynclogfile" {[info commands ::ns_asynclogfile] ne ""}
+::acs::register_icanuse "ns_writer" {[info commands ::ns_writer] ne ""}
 
 # Local variables:
 #    mode: tcl
Index: openacs-4/packages/acs-tcl/tcl/site-nodes-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/site-nodes-procs.tcl,v
diff -u -N -r1.141.2.4 -r1.141.2.5
--- openacs-4/packages/acs-tcl/tcl/site-nodes-procs.tcl	29 Mar 2019 14:42:06 -0000	1.141.2.4
+++ openacs-4/packages/acs-tcl/tcl/site-nodes-procs.tcl	3 Jul 2019 18:12:25 -0000	1.141.2.5
@@ -612,6 +612,10 @@
     @param url URL path starting with a slash.
     @author Peter Marklund
 } {
+
+    ns_log notice "OLD nsv-based site_node::exists_p <$url>"
+            
+    
     set url_no_trailing [string trimright $url "/"]
     return [nsv_exists site_nodes "$url_no_trailing/"]
 }
@@ -1779,7 +1783,9 @@
         # lookup and check whether the returned node_id has the same
         # URL as the provided one.
         #
+        ns_log notice "site_node::exists_p <$url>"
         set node_id [::xo::site_node get_node_id -url $url_no_trailing]
+        ns_log notice "site_node::exists_p <[list ::xo::site_node get_node_id -url $url_no_trailing]> -> $node_id"
         return [expr {[::xo::site_node get_url -node_id $node_id] eq "$url_no_trailing/"}]
     }
 
Index: openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl,v
diff -u -N -r1.109.2.4 -r1.109.2.5
--- openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl	31 Mar 2019 11:17:59 -0000	1.109.2.4
+++ openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl	3 Jul 2019 18:12:25 -0000	1.109.2.5
@@ -802,9 +802,10 @@
 
     ad_proc ad_html_security_check { html } {
 
-        Returns a human-readable explanation if the user has used any HTML
-        tag other than the ones marked allowed in antispam section of ad.ini.
-        Otherwise returns an empty string.
+        Returns a human-readable explanation if the user has used any
+        HTML tag other than the ones marked allowed in antispam
+        section of the kernel parameters.  Otherwise returns an empty
+        string.
 
         @return a human-readable, plaintext explanation of what's wrong with the user's input.
 
@@ -878,7 +879,8 @@
                         }
 
                         if { [string tolower $attr_name] ne "style" } {
-                            if { [regexp {^\s*([^\s:]+):\/\/} $attr_value match protocol] } {
+                            if { [regexp {^\s*(([^\s:]+):\/\/|(data|javascript))} $attr_value match . p1 p2] } {
+                                set protocol [expr {$p1 ne "" ? $p1 : $p2}]
                                 if { ![info exists allowed_protocol([string tolower $protocol])]
                                      && ![info exists allowed_protocol(*)] } {
                                     return "Your URLs can only use these protocols: [join $allowed_protocols_list ", "].
Index: openacs-4/packages/acs-tcl/tcl/test/html-conversion-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/test/html-conversion-procs.tcl,v
diff -u -N -r1.20.2.1 -r1.20.2.2
--- openacs-4/packages/acs-tcl/tcl/test/html-conversion-procs.tcl	10 Mar 2019 21:34:33 -0000	1.20.2.1
+++ openacs-4/packages/acs-tcl/tcl/test/html-conversion-procs.tcl	3 Jul 2019 18:12:25 -0000	1.20.2.2
@@ -101,11 +101,27 @@
     tests is href attribute is allowed of A tags
 } {
     set html "<a href=\"http://www.example/com\">An Link</a>"
-    aa_equals "href is allowed for A tags" [ad_html_security_check $html] ""
+    aa_equals "href with http:// is allowed for 'a' tags" [ad_html_security_check $html] ""
+    set html "<a href=\"https://www.example/com\">An Link</a>"
+    aa_equals "href with https:// is allowed for 'a' tags" [ad_html_security_check $html] ""
 }
 
 aa_register_case \
     -cats {api smoke} \
+    -procs {ad_html_security_check} \
+    ad_html_security_check_forbidden_protolcols {
+    tests is href attribute is forbidden for certain tags
+} {
+    set html "<a href=\"foo://www.example/com\">An Link</a>"
+    aa_true "protocol 'foo' is not allowed" {[ad_html_security_check $html] ne ""}
+    set html "<a href=\"javascript:alert('hi')\">An Link</a>"
+    aa_true "protocol 'javascript' is not allowed" {[ad_html_security_check $html] ne ""}
+    set html "<a href=\"data:alert('hi')\">An Link</a>"
+    aa_true "protocol 'data' is not allowed" {[ad_html_security_check $html] ne ""}
+}
+
+aa_register_case \
+    -cats {api smoke} \
     -procs {util_close_html_tags} \
     util_close_html_tags {
     Tests closing HTML tags.