htmlscrubber: Allow colons in url fragments after '?'

Colons are not allowed at the start of urls, because it can be interpreted
as a protocol, and allowing arbitrary protocols can be unsafe
(CVE-2008-0809). However, this check was too restrictive, not allowing
use of eg, "video.ogv?t=0:03:00/0:04:00" to seek to a given place in a
video, or "somecgi?foo=bar:baz" to pass parameters with colons.

It's still not allowed to have a filename with a colon in it (ie
"foo:bar.png") -- to link to such a file, a fully qualified url must be
used.

IkiWiki/Plugin/htmlscrubber.pm

@@ -32,7 +32,7 @@ sub import {
 	);
 	# data is a special case. Allow a few data:image/ types,
 	# but disallow data:text/javascript and everything else.
-	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i;
+	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?]))/i;
 }
 
 sub getsetup () {

debian/changelog

@@ -25,6 +25,7 @@ ikiwiki (3.20100324) UNRELEASED; urgency=low
     used, but they are available in the session object now.)
   * page.tmpl: Add Cache-Control must-revalidate to ensure that users
     (especially of Firefox) see fresh page content.
+  * htmlscrubber: Allow colons in urls after '?'
 
  -- Joey Hess <joeyh@debian.org>  Sat, 13 Mar 2010 14:48:10 -0500