Index: wp-includes/formatting.php
===================================================================
--- wp-includes/formatting.php	(revision 4669)
+++ wp-includes/formatting.php	(working copy)
@@ -1056,7 +1056,7 @@
 	return apply_filters('richedit_pre', $output);
 }
 
-function clean_url( $url ) {
+function clean_url( $url, $protocols = null ) {
 	if ('' == $url) return $url;
 	$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%]|i', '', $url);
 	$strip = array('%0d', '%0a');
@@ -1064,6 +1064,10 @@
 	$url = str_replace(';//', '://', $url);
 	$url = (!strstr($url, '://')) ? 'http://'.$url : $url;
 	$url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
+	if ( !is_array($protocols) )
+		$protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet'); 
+	if ( wp_kses_bad_protocol( $url, $protocols ) != $url )
+		return '';
 	return $url;
 }