Make URI parsing algorithm more strict.

Thanks Michael Gusev <mgusev@sugarcrm.com> for contributing this patch.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>

NEWS

@@ -9,6 +9,11 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
     . Internal change
 ==========================
 
+4.6.0, unknown release date
+# URI parsing algorithm was made more strict, so only prefixes which
+  looks like schemes will actually be schemes.  Thanks
+  Michael Gusev <mgusev@sugarcrm.com> for fixing.
+
 4.5.0, released 2013-02-17
 # Fix bug where stacked attribute transforms clobber each other;
   this also means it's no longer possible to override attribute

library/HTMLPurifier/URIParser.php

@@ -30,7 +30,7 @@ class HTMLPurifier_URIParser
         // Note that ["<>] are an addition to the RFC's recommended
         // characters, because they represent external delimeters.
         $r_URI = '!'.
-            '(([^:/?#"<>]+):)?'. // 2. Scheme
+            '(([a-zA-Z0-9\.\+\-]+):)?'. // 2. Scheme
             '(//([^/?#"<>]*))?'. // 4. Authority
             '([^?#"<>]*)'.       // 5. Path
             '(\?([^#"<>]*))?'.   // 7. Query

tests/HTMLPurifier/URIParserTest.php

@@ -140,6 +140,13 @@ class HTMLPurifier_URIParserTest extends HTMLPurifier_Harness
         );
     }
 
+    function testEmbeddedColon() {
+        $this->assertParsing(
+            '{:test:}',
+            null, null, null, null, '{:test:}', null, null
+        );
+    }
+
 }
 
 // vim: et sw=4 sts=4