From a89d623302b5027dbb2d06941a22372948757685 Mon Sep 17 00:00:00 2001
From: Daniel Friesen <daniel@nadir-seen-fire.com>
Date: Sun, 12 May 2013 19:41:13 -0700
Subject: [PATCH] Whitelist a bunch of url protocols.

Our url whitelisting is just to reject unsafe protocols like javascript:.
We have no reason to reject a bunch of urls to open standardized schemes.

Whitelist a bunch of them:
ftps, ssh, sftp, xmpp, sip, sips, tel, sms, bitcoin, magnet, urn, and geo.

Change-Id: I941190203ee1442d912d46144584bf2e7733f32c
---
 RELEASE-NOTES-1.22           |  2 ++
 includes/DefaultSettings.php | 12 ++++++++++++
 2 files changed, 14 insertions(+)
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index ad12bf9cd1..569a2b9650 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -16,6 +16,8 @@ production.
   Special:UserLogin/signup is activated.
 * $wgVectorUseIconWatch is now enabled by default.
 * $wgCascadingRestrictionLevels was added.
+* ftps, ssh, sftp, xmpp, sip, sips, tel, sms, bitcoin, magnet, urn, and geo
+  have been whitelisted inside of $wgUrlProtocols.
 
 === New features in 1.22 ===
 * (bug 44525) mediawiki.jqueryMsg can now parse (whitelisted) HTML elements and attributes.
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 46ca7edbae..bcc4ae4525 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -3377,17 +3377,29 @@ $wgUrlProtocols = array(
 	'http://',
 	'https://',
 	'ftp://',
+	'ftps://', // If we allow ftp:// we should allow the secure version.
+	'ssh://',
+	'sftp://', // SFTP > FTP
 	'irc://',
 	'ircs://', // @bug 28503
+	'xmpp:', // Another open communication protocol
+	'sip:',
+	'sips:',
 	'gopher://',
 	'telnet://', // Well if we're going to support the above.. -Ã¦var
 	'nntp://', // @bug 3808 RFC 1738
 	'worldwind://',
 	'mailto:',
+	'tel:', // If we can make emails linkable, why not phone numbers?
+	'sms:', // Likewise this is standardized too
 	'news:',
 	'svn://',
 	'git://',
 	'mms://',
+	'bitcoin:', // Even registerProtocolHandler whitelists this along with mailto:
+	'magnet:', // No reason to reject torrents over magnet: when they're allowed over http://
+	'urn:', // Allow URNs to be used in Microdata/RDFa <link ... href="urn:...">s
+	'geo:', // geo: urls define locations, they're useful in Microdata/RDFa and when mentioning coordinates.
 	'//', // for protocol-relative URLs
 );
 
-- 
2.20.1

