Index: openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl,v
diff -u -r1.109.2.48 -r1.109.2.49
--- openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl 16 Feb 2024 11:38:28 -0000 1.109.2.48
+++ openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl 18 Mar 2024 13:13:13 -0000 1.109.2.49
@@ -1730,18 +1730,25 @@
#
# Try to detect malicious attempts to
- # "disguise" a protocol by quoting the
- # colon character.
+ # "disguise" a protocol by replacing
+ # characters with HTML entities.
#
- # The : entity is currently not
- # automatically unquoted by tDOM, so we
- # replace it manually. This may go away at
- # some point.
+ # Tools that target earlier versions of the
+ # HTML specification may not be able to
+ # properly recognize the latest entitities.
#
- # See
- # http://tdom.org/index.html/tktview/d59ea07e74a1903435a947862dd7acd74a4eb92e
+ # Currently, tDOM targets HTML standard 4.01,
+ # hence will not automatically unquote
+ # entities such as ":" and others, that
+ # were introduced later. (See
+ # http://tdom.org/index.html/tktview/d59ea07e74a1903435a947862dd7acd74a4eb92e)
#
- set url [string map {: :} $url]
+ # To overcome this limitation, we pass the URL
+ # through ns_unquotehtml, which on NaviServer
+ # > 4.99.30 will recognize and properly
+ # unescape many of these new entities.
+ #
+ set url [ns_unquotehtml $url]
set proto ""
try {