id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc
274,HTMLSanitizer.is_safe_uri() fails for relative URIs containing a ':',Remy Blank <remy.blank@…>,cmlenz,"The method `HTMLSanitizer.is_safe_uri()` returns `False` for relative URIs like the following:
{{{
#fragment:with:colon
}}}
Note that RFC-3986 explicitly allows ':' in fragments.

The current implementation splits the URI at the first ':' and checks the first part against a list of safe schemes. This is insufficient.

A fix might be to check the part of the URI prior to the first ':' against the specification for a scheme:
{{{
scheme        = ALPHA *( ALPHA / DIGIT / ""+"" / ""-"" / ""."" )
}}}
If it doesn't fit, the URI can be considered as being relative.

This issue has been reported in Trac ticket #T7530.",defect,closed,major,0.6,General,0.5.1,fixed,,