Index: wp-includes/formatting.php
===================================================================
--- wp-includes/formatting.php	(revision 18024)
+++ wp-includes/formatting.php	(working copy)
@@ -2902,4 +2902,22 @@
 	return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
 }
 
+/**
+ * Sanitize space or carriage return separated urls that are used to send trackbacks.
+ *
+ * @since 3.2.0
+ *
+ * @param string $to_ping Space or carriage return separated urls
+ * @return string Urls starting with the http or https protocol, separated by a carriage return.
+ */
+function sanitize_trackback_urls( $to_ping ) {
+    $urls_to_ping = preg_split('/\s|\n/', $to_ping, -1, PREG_SPLIT_NO_EMPTY);
+    foreach( $urls_to_ping as $k => $url ) {
+        if ( !preg_match('#^https?://.#i', $url) )
+            unset($urls_to_ping[$k]);
+    }
+	$sani_to_ping = implode( "\n", $urls_to_ping );
+	return apply_filters( 'sanitize_trackback_urls', $sani_to_ping, $to_ping );
+}
+
 ?>
Index: wp-includes/post.php
===================================================================
--- wp-includes/post.php	(revision 18024)
+++ wp-includes/post.php	(working copy)
@@ -2519,7 +2519,7 @@
 		$ping_status = get_option('default_ping_status');
 
 	if ( isset($to_ping) )
-		$to_ping = preg_replace('|\s+|', "\n", $to_ping);
+		$to_ping = sanitize_trackback_urls( $to_ping );
 	else
 		$to_ping = '';