htmlscrubber: Allow colons in url fragments after '?'

Colons are not allowed at the start of urls, because it can be interpreted as a protocol, and allowing arbitrary protocols can be unsafe (CVE-2008-0809). However, this check was too restrictive, not allowing use of eg, "video.ogv?t=0:03:00/0:04:00" to seek to a given place in a video, or "somecgi?foo=bar:baz" to pass parameters with colons. It's still not allowed to have a filename with a colon in it (ie "foo:bar.png") -- to link to such a file, a fully qualified url must be used.
author: Joey Hess <joey@gnu.kitenet.net> 2010-04-02 16:05:14 -0400
committer: Joey Hess <joey@gnu.kitenet.net> 2010-04-02 16:05:14 -0400
commit: 104919ee07b70b166c6c6be13b4f6e5bc5225179 (patch)
tree: dce9764b1d1bf6f608294dd75502198413efcafb /debian/changelog
parent: 05b6e8ceee2bec4442727e2475abf8a8861d5e0a (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index bbca7cffe..adf0dfed6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,7 @@ ikiwiki (3.20100324) UNRELEASED; urgency=low
     used, but they are available in the session object now.)
   * page.tmpl: Add Cache-Control must-revalidate to ensure that users
     (especially of Firefox) see fresh page content.
+  * htmlscrubber: Allow colons in urls after '?'
 
  -- Joey Hess <joeyh@debian.org>  Sat, 13 Mar 2010 14:48:10 -0500
author	Joey Hess <joey@gnu.kitenet.net>	2010-04-02 16:05:14 -0400
committer	Joey Hess <joey@gnu.kitenet.net>	2010-04-02 16:05:14 -0400
commit	104919ee07b70b166c6c6be13b4f6e5bc5225179 (patch)
tree	dce9764b1d1bf6f608294dd75502198413efcafb /debian/changelog
parent	05b6e8ceee2bec4442727e2475abf8a8861d5e0a (diff)