From time to time, people complain here (e.g., http://www.simplemachines.org/community/index.php?topic=505934.msg0
) that they give a "nonstandard" protocol such as "steam://" (whatever that is) and SMF insists on shoving an http://
in front of the URL. I suggest that wherever SMF is checking for a full URL (protocol://domain/path), that it accept any
protocol explicitly given by the user, rather than checking just for http:// and https://. The regexp for this would be something like ([a-zA-Z]+)://
. I don't know if any legitimate protocols include non-alphabetics. If no protocol is given, add http://. Are there any known harmful protocols that should be excluded, either always or at the discretion of the forum owner?
If this is implemented, it would probably be best done as $url = check_protocol($url, 'http', array(exclude1, exclude2));
rather than hard coding it over and over in SMF code. You would have the original URL as input, the default protocol to use, and any protocols to forbid (or a set of allowed protocols). Maybe the allowed/forbidden list could be array('A', 'http', 'https', 'ftp')
or array('F', 'steam')
style. That would be explicitly allowed
, or a user-defined
(forum admin) list of allowed or forbidden protocols, stored in the database.