Merged r21101 from trunk to 4.2-stable (#35441).

git-svn-id: http://svn.redmine.org/redmine/branches/4.2-stable@21108 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 3 insertions, 1 deletions

diff --git a/lib/redmine/wiki_formatting/textile/redcloth3.rb b/lib/redmine/wiki_formatting/textile/redcloth3.rb
index 3c43a54d9..2816e1c90 100644
--- a/lib/redmine/wiki_formatting/textile/redcloth3.rb
+++ b/lib/redmine/wiki_formatting/textile/redcloth3.rb
@@ -961,7 +961,7 @@ class RedCloth3 < String
             href, alt_title = check_refs( href ) if href
             url, url_title = check_refs( url )
 
-            next m unless uri_with_safe_scheme?(url)
+            next m unless uri_with_safe_scheme?(url.partition('?').first)
             if href
               href = htmlesc(href.dup)
               next m if href.downcase.start_with?('javascript:')
diff --git a/test/helpers/application_helper_test.rb b/test/helpers/application_helper_test.rb
index 730023443..7226902e4 100644
--- a/test/helpers/application_helper_test.rb
+++ b/test/helpers/application_helper_test.rb
@@ -150,6 +150,8 @@ class ApplicationHelperTest < Redmine::HelperTest
       'with title !http://foo.bar/image.jpg(This is a double-quoted "title")!' =>
         'with title <img src="http://foo.bar/image.jpg" title="This is a double-quoted &quot;title&quot;" ' \
           'alt="This is a double-quoted &quot;title&quot;" />',
+      'with query string !http://foo.bar/image.cgi?a=1&b=2!' =>
+        'with query string <img src="http://foo.bar/image.cgi?a=1&#38;b=2" alt="" />'
     }
     to_test.each {|text, result| assert_equal "<p>#{result}</p>", textilizable(text)}
   end