id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
274	HTMLSanitizer.is_safe_uri() fails for relative URIs containing a ':'	Remy Blank <remy.blank@…>	cmlenz	"The method `HTMLSanitizer.is_safe_uri()` returns `False` for relative URIs like the following:
{{{
#fragment:with:colon
}}}
Note that RFC-3986 explicitly allows ':' in fragments.

The current implementation splits the URI at the first ':' and checks the first part against a list of safe schemes. This is insufficient.

A fix might be to check the part of the URI prior to the first ':' against the specification for a scheme:
{{{
scheme        = ALPHA *( ALPHA / DIGIT / ""+"" / ""-"" / ""."" )
}}}
If it doesn't fit, the URI can be considered as being relative.

This issue has been reported in Trac ticket #T7530."	defect	closed	major	0.6	General	0.5.1	fixed