Index: modules/filter.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/Attic/filter.module,v
retrieving revision 1.57.2.14
diff -u -Ffunction -r1.57.2.14 filter.module
--- modules/filter.module	12 Apr 2006 14:36:37 -0000	1.57.2.14
+++ modules/filter.module	11 Oct 2006 22:15:56 -0000
@@ -1235,15 +1235,21 @@ function filter_xss_bad_protocol($string
   if ($decode) {
     $string = decode_entities($string);
   }
-  // Remove soft hyphen
-  $string = str_replace(chr(194) . chr(173), '', $string);
-  // Strip protocols
 
+  // Iteratively remove any invalid protocol found.
   do {
     $before = $string;
     $colonpos = strpos($string, ':');
     if ($colonpos > 0) {
+      // We found a colon, possibly a protocol. Verify.
       $protocol = substr($string, 0, $colonpos);
+      // If a colon is preceded by a slash, question mark or hash, it cannot
+      // possibly be part of the URL scheme. This must be a relative URL,
+      // which inherits the (safe) protocol of the base document.
+      if (preg_match('![/?#]!', $protocol)) {
+        break;
+      }
+      // Check if this is a disallowed protocol
       if (!isset($allowed_protocols[$protocol])) {
         $string = substr($string, $colonpos + 1);
       }