wp_filter_post_kses mangles URLs with colons in them

[rkaiser0324]

Try to save this entirely valid post content:

<a href="/this/is/a/valid:link">watch what happens</a>

The KSES logic is overly aggressive and strips the URL. It's getting confused by the colon.

Might be related to #24663

[SergeyBiryukov]

Related: #21974, #23922.

[miqrogroove]

I disagree. Colons are reserved characters in the specification for URLs and we have important reasons for never allowing them. This ticket will need a 2nd opinion.

[rkaiser0324]

That's interesting, I didn't know the colon was a reserved character. Why this comes up is the CakePHP MVC framework (​http://book.cakephp.org/2.0/en/development/routing.html), which I used for plugin development, is prominently supporting these "named parameters" of key-value pairs in URLs, so I end up wanting to use them in links inside posts. Given the large size of the CakePHP community, I'm surprised to find that using them is bad practice.

[miqrogroove]

Yeah /this/is/a/valid:link is technically invalid and should be represented as /this/is/a/valid%3Alink until processed by the responding server. However, most servers will allow both representations unless properly firewalled, so it's a somewhat gray area.

[wonderboymusic]

wouldn't mind this being unit tested