Ticket #7386: 7386.002.diff

wp-includes/formatting.php

@@ -1147 +1147 @@
         $original_url = $url;
 
         if ('' == $url) return $url;
-        $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@()\\x80-\\xff]|i', '', $url);
+        $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$*\'()\\x80-\\xff]|i', '', $url);
         $strip = array('%0d', '%0a');
         $url = str_replace($strip, '', $url);
         $url = str_replace(';//', '://', $url);
@@ -1159 +1159 @@
                 substr( $url, 0, 1 ) != '/' && !preg_match('/^[a-z0-9-]+?\.php/i', $url) )
                 $url = 'http://' . $url;
 
-        // Replace ampersands ony when displaying.
-        if ( 'display' == $context )
+        // Replace ampersands and single quotes ony when displaying.
+        if ( 'display' == $context ) {
                 $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
+                $url = str_replace( "'", ''', $url );
+        }
 
         if ( !is_array($protocols) )
                 $protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet');