From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 2 Feb 2020 10:19:16 +0000 (+0000)
Subject: White list protocols allowed for Textile links (#32934).
X-Git-Tag: 4.2.0~1221
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=e9d5b0b8dc7f22a31b788ec99f585e46818ba7fe;p=redmine.git

White list protocols allowed for Textile links (#32934).

git-svn-id: http://svn.redmine.org/redmine/trunk@19489 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/lib/redmine/wiki_formatting/textile/redcloth3.rb b/lib/redmine/wiki_formatting/textile/redcloth3.rb
index d33aede8d..80e0a3626 100644
--- a/lib/redmine/wiki_formatting/textile/redcloth3.rb
+++ b/lib/redmine/wiki_formatting/textile/redcloth3.rb
@@ -350,7 +350,7 @@ class RedCloth3 < String
     PUNCT = Regexp::quote( '!"#$%&\'*+,-./:;=?@\\^_`|~' )
     PUNCT_NOQ = Regexp::quote( '!"#$&\',./:;=?@\\`|' )
     PUNCT_Q = Regexp::quote( '*-_+^~%' )
-    HYPERLINK = '(\S+?)([^\w\s/;=\?]*?)(?=\s|<|$)'
+    HYPERLINK = '(?=\/|https?:\/\/|s?ftps?:\/\/|www\.|mailto:)(\S+?)([^\w\s/;=\?]*?)(?=\s|<|$)'
 
     # Text markup tags, don't conflict with block tags
     SIMPLE_HTML_TAGS = [
@@ -815,7 +815,7 @@ class RedCloth3 < String
             (?:\(([^)]+?)\)(?="))?     # $title
             ":
             (                          # $url
-            (\/|[a-zA-Z]+:\/\/|www\.|mailto:)  # $proto
+            (\/|https?:\/\/|s?ftps?:\/\/|www\.|mailto:)  # $proto
             [[:alnum:]_\/]\S+?
             )
             (\/)?                      # $slash