1
Vote

Default whitelist for src and href not quite right

description

Hi,
 
Just been testing against some sample content and found that the standard whitelist regex for src and href attributes falls down a bit.
 
src="(/|mailto\:|(news|(ht|f)tp(s?))\://){0,1}[@\w\.]+"   This doesn't allow the following URL:
 
http://www.pianola.net/Themes/Pianola/Content/Images/pianola-logo.png
 
It's because it contains a '-' and several instances of '/'.
 
I found this modification fixed it:
 
src="(/|mailto\:|(news|(ht|f)tp(s?))\://){0,1}[@\w\.\/\-]+"

comments