Index: /trunk/roundcubemail/program/lib/washtml.php
===================================================================
--- /trunk/roundcubemail/program/lib/washtml.php (revision 5589)
+++ /trunk/roundcubemail/program/lib/washtml.php (revision 5590)
@@ -169,5 +169,5 @@
$value .= ' url('.htmlspecialchars($src, ENT_QUOTES) . ')';
}
- else if (preg_match('/^(http|https|ftp):.*$/i', $match[2], $url)) {
+ else if (preg_match('!^(https?:)?//[a-z0-9/._+-]+$!i', $match[2], $url)) {
if ($this->config['allow_remote'])
$value .= ' url('.htmlspecialchars($url[0], ENT_QUOTES).')';
Index: /trunk/roundcubemail/tests/src/BID-26800.txt
===================================================================
--- /trunk/roundcubemail/tests/src/BID-26800.txt (revision 5589)
+++ /trunk/roundcubemail/tests/src/BID-26800.txt (revision 5590)
@@ -11,4 +11,5 @@
<div> block
valid css
+
@@ -17,5 +18,5 @@
Inject comment text