Index: openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl,v
diff -u -r1.109.2.49 -r1.109.2.50
--- openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl	18 Mar 2024 13:13:13 -0000	1.109.2.49
+++ openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl	19 Mar 2024 10:46:18 -0000	1.109.2.50
@@ -1750,6 +1750,32 @@
                         #
                         set url [ns_unquotehtml $url]
 
+                        #
+                        # Another trick seen by e.g. penetration tools
+                        # is to try and sneak in URLs sporting
+                        # multiple protocols. We reject those
+                        # altogether.
+                        #
+                        if {![regexp -nocase {^([a-z]+:){2,}} $url]} {
+                            #
+                            # A normal "0 or 1 protocols" URL
+                            #
+                        } elseif {$validate_p} {
+                            #
+                            # Multi-protocol URL and we are
+                            # validating. This HTML is invalid.
+                            #
+                            return 0
+                        } else {
+                            #
+                            # Multi-protocol URL and we are
+                            # sanitizing. Remove it from the
+                            # result.
+                            #
+                            $node removeAttribute $att
+                            continue
+                        }
+
                         set proto ""
                         try {
                             set parsed_url [ns_parseurl $url]