[aur-dev] [PATCH] Make external links in comments clickable (FS#20137).
This is a bit hacky patch to make links in AUR comments clickable (fixes
FS#20137 [1]). Huge parts of this code are ripped from the DokuWiki
plugin that is also used in Flyspray.
I didn't have any time to test it extensively so I'd suggest to do some
more tests if this will be commited.
[1] https://bugs.archlinux.org/task/20137
---
web/lib/aur.inc | 45 +
web/template/pkg_comments.php |2 +-
2 files changed, 46 insertions(+), 1 deletions(-)
diff --git a/web/lib/aur.inc b/web/lib/aur.inc
index bd69c4c..b0cfdc8 100644
--- a/web/lib/aur.inc
+++ b/web/lib/aur.inc
@@ -494,3 +494,48 @@ function salted_hash($passwd, $salt)
}
return md5($salt . $passwd);
}
+
+function parse_link($matches)
+{
+ $name = $url = $matches[0];
+
+ if(substr($url, 0, 3) == 'ftp' (substr($url, 0, 6) != 'ftp://')) {
+$url = 'ftp://'.$url;
+ }
+ elseif (substr($url, 0, 3) == 'www') {
+$url = 'http://'.$url;
+ }
+
+ $url = str_replace('', 'amp;', $url);
+ $url = str_replace('amp;amp;', 'amp;', $url);
+ $url = strtr($url, array('' = '%3E', '' = '%3C', '' = '%22'));
+
+ return 'a href=' . $url . '' . $name . '/a';
+}
+
+function parse_comment($comment)
+{
+ $schemes = array('http', 'https', 'ftp');
+ $ltrs = '\w';
+ $gunk = '\/\#~:.?+=%...@!\-';
+ $punc = '.:?\-;,';
+ $host = $ltrs . $punc;
+ $any = $ltrs . $gunk . $punc;
+
+ $patterns = array();
+
+ foreach ($schemes as $scheme) {
+$patterns[] = '(\b(?i)' . $scheme . '(?-i):\/\/[' . $any . ']+?(?=[' .
$punc . ']*[^' . $any . ']))';
+ }
+
+ $patterns[] = '(\b(?i)www?(?-i)\.[' . $host . ']+?\.[' . $host . ']+?[' .
$any . ']+?(?=[' . $punc . ']*[^' . $any . ']))';
+ $patterns[] = '(\b(?i)ftp?(?-i)\.['. $host . ']+?\.[' . $host . ']+?[' .
$any . ']+?(?=[' . $punc . ']*[^' . $any . ']))';
+
+ $regex = '/' . implode('|', $patterns) . '/msS';
+
+ $comment = htmlspecialchars($comment);
+ $comment = preg_replace_callback($regex, parse_link, $comment . \n);
+ $comment = nl2br($comment);
+
+ return $comment;
+}
diff --git a/web/template/pkg_comments.php b/web/template/pkg_comments.php
index 02171a0..2ca9bf0 100644
--- a/web/template/pkg_comments.php
+++ b/web/template/pkg_comments.php
@@ -20,7 +20,7 @@ while (list($indx, $carr) = each($comments)) { ?
?/div
blockquote class=comment-body
div
-?php echo nl2br(htmlspecialchars($carr['Comments'])) ?
+?php echo parse_comment($carr['Comments']) ?
/div
/blockquote
?php
--
1.7.3
[aur-dev] [PATCH] Minor fix in French translation (FS#20111).
--- web/lang/fr.po |8 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/web/lang/fr.po b/web/lang/fr.po index 5728947..596f4af 100644 --- a/web/lang/fr.po +++ b/web/lang/fr.po @@ -43,7 +43,7 @@ $_t[Account Suspended] = Compte Suspendu; $_t[Status] = Etat; -$_t[New Package Notify] = Annoncer les nouveaux paquets; +$_t[New Package Notify] = Suivre les nouveaux paquets; $_t[IRC Nick] = Pseudo IRC; @@ -317,7 +317,7 @@ $_t[The above files have been verified (by %s) and are safe to use.] = Les fi $_t[Could not retrieve information for the specified user.] = Impossible de retrouver l'information pour l'utilisateur spécifié.; -$_t[UnNotify] = Ne plus annoncer; +$_t[UnNotify] = Ne plus suivre; $_t[You do not have permission to edit this account.] = Vous n'avez pas la permission d'éditer ce compte.; @@ -369,7 +369,7 @@ $_t[Yes] = Oui; $_t[Search Criteria] = Critères de recherche; -$_t[Notify] = Annoncer; +$_t[Notify] = Suivre; $_t[Go] = Aller; @@ -407,7 +407,7 @@ $_t[Required by] = Requis par; $_t[This package has been flagged out of date.] = Ce paquet a été marqué comme périmé.; -$_t[Toggle Notify] = Annoncer/Ne plus annoncer; +$_t[Toggle Notify] = Suivre/Ne plus suivre; $_t[Accounts] = Comptes; -- 1.7.3
Re: [aur-dev] [PATCH] Make external links in comments clickable (FS#20137).
On 09/30/2010 05:22 PM, Lukas Fleischer wrote:
This is a bit hacky patch to make links in AUR comments clickable (fixes
FS#20137 [1]). Huge parts of this code are ripped from the DokuWiki
plugin that is also used in Flyspray.
I didn't have any time to test it extensively so I'd suggest to do some
more tests if this will be commited.
[1] https://bugs.archlinux.org/task/20137
---
web/lib/aur.inc | 45 +
web/template/pkg_comments.php |2 +-
2 files changed, 46 insertions(+), 1 deletions(-)
diff --git a/web/lib/aur.inc b/web/lib/aur.inc
index bd69c4c..b0cfdc8 100644
--- a/web/lib/aur.inc
+++ b/web/lib/aur.inc
@@ -494,3 +494,48 @@ function salted_hash($passwd, $salt)
}
return md5($salt . $passwd);
}
+
+function parse_link($matches)
+{
+ $name = $url = $matches[0];
+
+ if(substr($url, 0, 3) == 'ftp' (substr($url, 0, 6) != 'ftp://')) {
+$url = 'ftp://'.$url;
+ }
+ elseif (substr($url, 0, 3) == 'www') {
+$url = 'http://'.$url;
+ }
+
+ $url = str_replace('','amp;', $url);
+ $url = str_replace('amp;amp;', 'amp;', $url);
What about the occurrences of amp;(html-entity-code-here); you
produced the line before?
+ $url = strtr($url, array('' = '%3E','' = '%3C', '' = '%22'));
+
+ return 'a href=' . $url . '' . $name .'/a';
+}
+
+function parse_comment($comment)
+{
+ $schemes = array('http', 'https', 'ftp');
+ $ltrs = '\w';
+ $gunk = '\/\#~:.?+=%...@!\-';
+ $punc = '.:?\-;,';
+ $host = $ltrs . $punc;
+ $any = $ltrs . $gunk . $punc;
+
+ $patterns = array();
+
+ foreach ($schemes as $scheme) {
+$patterns[] = '(\b(?i)' . $scheme . '(?-i):\/\/[' . $any . ']+?(?=[' .
$punc . ']*[^' . $any . ']))';
+ }
+
+ $patterns[] = '(\b(?i)www?(?-i)\.[' . $host . ']+?\.[' . $host . ']+?[' .
$any . ']+?(?=[' . $punc . ']*[^' . $any . ']))';
+ $patterns[] = '(\b(?i)ftp?(?-i)\.['. $host . ']+?\.[' . $host . ']+?[' .
$any . ']+?(?=[' . $punc . ']*[^' . $any . ']))';
I am not that experienced with PHP, but this looks like the $patterns
array got replaced instead of extended.
+
+ $regex = '/' . implode('|', $patterns) . '/msS';
+
+ $comment = htmlspecialchars($comment);
Won't this render the next instruction useless if there are
html-characters in a link?
+ $comment = preg_replace_callback($regex, parse_link, $comment . \n);
+ $comment = nl2br($comment);
+
+ return $comment;
+}
diff --git a/web/template/pkg_comments.php b/web/template/pkg_comments.php
index 02171a0..2ca9bf0 100644
--- a/web/template/pkg_comments.php
+++ b/web/template/pkg_comments.php
@@ -20,7 +20,7 @@ while (list($indx, $carr) = each($comments)) { ?
?/div
blockquote class=comment-body
div
-?php echo nl2br(htmlspecialchars($carr['Comments'])) ?
+?php echo parse_comment($carr['Comments']) ?
/div
/blockquote
?php
Generally I would not make hostnames (www.foo.tld) clickable.
If people are not able to provide proper URL's, they have a serious
problem. (there is also the technical argument that the hostname is not
a good indicator for the kind of service the host provides.)
Regards, PyroPeter
--
freenode/pyropeter 12:50 - Ich drücke Return.
[aur-dev] [PATCH] Add timestamp when a package is flagged out-of-date (FS#20848).
--- UPGRADING |4 support/schema/aur-schema.sql |1 + web/lang/cs.po|2 +- web/lang/de.po|2 +- web/lang/el_GR.po |2 +- web/lang/fr.po|2 +- web/lang/he.po|2 +- web/lang/hr.po|2 +- web/lang/hu.po|2 +- web/lang/it.po|2 +- web/lang/nb_NO.po |2 +- web/lang/pl.po|2 +- web/lang/ro.po|2 +- web/lang/ru.po|2 +- web/lang/sr.po|2 +- web/lang/tr.po|2 +- web/lang/uk.po|2 +- web/lang/zh_CN.po |2 +- web/lib/pkgfuncs.inc |3 ++- web/template/pkg_details.php |3 ++- 20 files changed, 25 insertions(+), 18 deletions(-) diff --git a/UPGRADING b/UPGRADING index 743f404..99c5d1a 100644 --- a/UPGRADING +++ b/UPGRADING @@ -1,6 +1,10 @@ Upgrading = +From 1.7.0 +-- +ALTER TABLE Packages ADD OutOfDateTS BIGINT UNSIGNED NOT NULL; + From 1.6.0 to 1.7.0 --- ALTER TABLE Users ADD Salt CHAR(32) NOT NULL DEFAULT ''; diff --git a/support/schema/aur-schema.sql b/support/schema/aur-schema.sql index 250d405..15705a3 100644 --- a/support/schema/aur-schema.sql +++ b/support/schema/aur-schema.sql @@ -120,6 +120,7 @@ CREATE TABLE Packages ( LocationID TINYINT UNSIGNED NOT NULL DEFAULT 1, NumVotes INTEGER UNSIGNED NOT NULL DEFAULT 0, OutOfDate TINYINT UNSIGNED DEFAULT 0, + OutOfDateTS BIGINT UNSIGNED NOT NULL, SubmittedTS BIGINT UNSIGNED NOT NULL, ModifiedTS BIGINT UNSIGNED NOT NULL, SubmitterUID INTEGER UNSIGNED NOT NULL DEFAULT 0, -- who submitted it? diff --git a/web/lang/cs.po b/web/lang/cs.po index e430d05..214df00 100644 --- a/web/lang/cs.po +++ b/web/lang/cs.po @@ -15,7 +15,7 @@ global $_t; $_t[Search by] = Vyhledat dle; -$_t[This package has been flagged out of date.] = BalÃÄek byl oznaÄen jako zastaralý.; +$_t[This package has been flagged out of date] = BalÃÄek byl oznaÄen jako zastaralý; $_t[Voted] = Hlasováno; diff --git a/web/lang/de.po b/web/lang/de.po index 929e6f8..bbaa16b 100644 --- a/web/lang/de.po +++ b/web/lang/de.po @@ -390,7 +390,7 @@ $_t[You are not allowed to access this area.] = Es ist Dir nicht erlaubt, auf $_t[Unsafe] = Unsicher; -$_t[This package has been flagged out of date.] = Dieses Paket wurde als veraltet markiert.; +$_t[This package has been flagged out of date] = Dieses Paket wurde als veraltet markiert; $_t[The above files have been verified (by %h%s%h) and are safe to use.] = Die obigen Dateien wurden (von %h%s%h) als sicher markiert.; diff --git a/web/lang/el_GR.po b/web/lang/el_GR.po index 5f5c96c..4118c18 100644 --- a/web/lang/el_GR.po +++ b/web/lang/el_GR.po @@ -86,7 +86,7 @@ $_t[Unsupported packages are user produced content. Any use of the provided fil $_t[Search by] = ÎναζήÏηÏη καÏά; -$_t[This package has been flagged out of date.] = ÎÏ ÏÏ Ïο ÏακÎÏο ÎÏει ÏαÏακÏηÏιÏÏεί ÏαÏÏÏημÎνο.; +$_t[This package has been flagged out of date] = ÎÏ ÏÏ Ïο ÏακÎÏο ÎÏει ÏαÏακÏηÏιÏÏεί ÏαÏÏÏημÎνο; $_t[Voted] = ΨηÏιÏμÎνο; diff --git a/web/lang/fr.po b/web/lang/fr.po index 596f4af..1ce1896 100644 --- a/web/lang/fr.po +++ b/web/lang/fr.po @@ -405,7 +405,7 @@ $_t[Out of Date] = Périmé; $_t[Required by] = Requis par; -$_t[This package has been flagged out of date.] = Ce paquet a été marqué comme périmé.; +$_t[This package has been flagged out of date] = Ce paquet a été marqué comme périmé; $_t[Toggle Notify] = Suivre/Ne plus suivre; diff --git a/web/lang/he.po b/web/lang/he.po index d5c19b7..ad0c558 100644 --- a/web/lang/he.po +++ b/web/lang/he.po @@ -14,7 +14,7 @@ global $_t; $_t[Confirm your e-mail address:] = ××ש×ר ×ת××ת ×××××´× ×©××; -$_t[This package has been flagged out of date.] = ×××××× ×ס××× ×ª ××× ×¢××× ×ת.; +$_t[This package has been flagged out of date] = ×××××× ×ס××× ×ª ××× ×¢××× ×ת; $_t[Missing a required field.] = ש×× ××ר×× ×סר.; diff --git a/web/lang/hr.po b/web/lang/hr.po index 93028b7..4d46fec 100644 --- a/web/lang/hr.po +++ b/web/lang/hr.po @@ -162,7 +162,7 @@ $_t[Description] = Opis; $_t[unknown] = nepoznato; -$_t[This package has been flagged out of date.] = Paket je obilježen kao zastarijeli.; +$_t[This package has been flagged out of date] = Paket je obilježen kao zastarijeli; $_t[No New Comment Notification] = Nemoj me viÅ¡e obavjeÅ¡tavati o novim komentarima; diff --git a/web/lang/hu.po b/web/lang/hu.po index e198ac3..54f3a12 100644 --- a/web/lang/hu.po +++ b/web/lang/hu.po @@ -6,7 +6,7 @@ global $_t; $_t[Search by] = Keresés eszerint; -$_t[This package has been flagged out of
Re: [aur-dev] [PATCH] Make external links in comments clickable (FS#20137).
On Thu, Sep 30, 2010 at 06:18:24PM +0200, PyroPeter wrote:
+ $url = str_replace('','amp;', $url);
+ $url = str_replace('amp;amp;', 'amp;', $url);
What about the occurrences of amp;(html-entity-code-here); you
produced the line before?
Nothing? Any occurrence of an HTML entity code is correctly encoded as
amp;. People shouldn't be able to manually insert HTML entities in
comments. The first line is actually even superfluous as I realized just
now since ampersands should already have been replaced by
htmlspecialchars() before at the time this line is executed (didn't
check that before, this part of code has been extracted from the
DokuWiki plugin).
+ $patterns[] = '(\b(?i)www?(?-i)\.[' . $host . ']+?\.[' . $host . ']+?[' .
$any . ']+?(?=[' . $punc . ']*[^' . $any . ']))';
+ $patterns[] = '(\b(?i)ftp?(?-i)\.['. $host . ']+?\.[' . $host . ']+?[' .
$any . ']+?(?=[' . $punc . ']*[^' . $any . ']))';
I am not that experienced with PHP, but this looks like the $patterns
array got replaced instead of extended.
Nope, it doesn't. Check [1].
+ $comment = htmlspecialchars($comment);
Won't this render the next instruction useless if there are
html-characters in a link?
Nope. Links need to be escaped as well. Not sure what happens if a link
contains quotes or /. This shouldn't happen too often tho.
Generally I would not make hostnames (www.foo.tld) clickable.
If people are not able to provide proper URL's, they have a serious
problem. (there is also the technical argument that the hostname is not
a good indicator for the kind of service the host provides.)
Why not? What if you explicitly want to link to a project's home page?
It'll also just convert hostnames if they start with a www or ftp
subdomain, so comments refering to domains in other ways won't be
converted.
[1]
http://www.php.net/manual/de/language.types.array.php#language.types.array.syntax.modifying
[aur-dev] AUR update
when we gonna see the AUR-gets update? adding all the fixes.. new translations and the other commites?
Re: [aur-dev] AUR update
On Thu, Sep 30, 2010 at 07:28:21PM +0200, Netanel Shine wrote: when we gonna see the AUR-gets update? adding all the fixes.. new translations and the other commites? The AUR has been updated just about a week ago :) It's now on 1.7.0.
Re: [aur-dev] AUR update
still not for RTL for the HEBREW language, i think that someone release a patch for that. - Original Message - From: Lukas Fleischer archli...@cryptocrack.de To: Arch User Repository (AUR) Development aur-dev@archlinux.org Sent: Thursday, September 30, 2010 7:27:18 PM (GMT+0200) Auto-Detected Subject: Re: [aur-dev] AUR update On Thu, Sep 30, 2010 at 07:28:21PM +0200, Netanel Shine wrote: when we gonna see the AUR-gets update? adding all the fixes.. new translations and the other commites? The AUR has been updated just about a week ago :) It's now on 1.7.0.
Re: [aur-dev] AUR update
On Thu, Sep 30, 2010 at 08:34:52PM +0300, Panos Filip wrote: What I would really like to see is if the new patches from CCR will go through testing for AUR 1.8 :) Erm... http://chakra-project.org/ccr/pkgbuildview.php?pkgbuild=../../../../../etc/passwd *sigh*
Re: [aur-dev] AUR update
On Thu, Sep 30, 2010 at 11:16:55PM +0530, Gaurish Sharma wrote: OMG!! I already told Manuel about this security vulnerability yesterday [1]. He didn't seem to do anyting against it yet tho. My advice is not to include any of those patches without proper review. [1] http://mailman.archlinux.org/pipermail/aur-dev/2010-September/001242.html
Re: [aur-dev] [PATCH] Geshi AUR implementation
On Wed, Sep 29, 2010 at 03:35:24PM +0200, Manuel Tortosa wrote: This introduces a remote file inclusion vulnerability allowing an attacker to read arbitrary files since $pkgbuild is not validated before passing it to file_get_contents(). Don't apply this patch until everything is fixed, please. Thanks for your suggestions, i added them all to CCR ;) Btw, this is still not fixed! Have a look at [1]. You should consider using basename(), realpath() and/or regexp to check the PKGBUILD path. Also check [2], [3]. [1] http://mailman.archlinux.org/pipermail/aur-dev/2010-September/001268.html [2] http://www.madirish.net/?article=427 [3] http://www.acunetix.com/websitesecurity/php-security-3.htm
Re: [aur-dev] AUR update
On Thu, Sep 30, 2010 at 8:42 PM, Lukas Fleischer archli...@cryptocrack.dewrote: On Thu, Sep 30, 2010 at 08:34:52PM +0300, Panos Filip wrote: What I would really like to see is if the new patches from CCR will go through testing for AUR 1.8 :) Erm... http://chakra-project.org/ccr/pkgbuildview.php?pkgbuild=../../../../../etc/passwd *sigh* :O :O :O seriously ??
Re: [aur-dev] [PATCH] Make external links in comments clickable (FS#20137).
On 09/30/2010 06:38 PM, Lukas Fleischer wrote:
On Thu, Sep 30, 2010 at 06:18:24PM +0200, PyroPeter wrote:
+ $url = str_replace('','amp;', $url);
+ $url = str_replace('amp;amp;', 'amp;', $url);
What about the occurrences of amp;(html-entity-code-here); you
produced the line before?
Nothing? Any occurrence of an HTML entity code is correctly encoded as
amp;. People shouldn't be able to manually insert HTML entities in
comments. The first line is actually even superfluous as I realized just
now since ampersands should already have been replaced by
htmlspecialchars() before at the time this line is executed (didn't
check that before, this part of code has been extracted from the
DokuWiki plugin).
Well, but you are encoding existing entities, that are not amp; as
amp;foo;. See the example below.
+ $patterns[] = '(\b(?i)www?(?-i)\.[' . $host . ']+?\.[' . $host . ']+?[' .
$any . ']+?(?=[' . $punc . ']*[^' . $any . ']))';
+ $patterns[] = '(\b(?i)ftp?(?-i)\.['. $host . ']+?\.[' . $host . ']+?[' .
$any . ']+?(?=[' . $punc . ']*[^' . $any . ']))';
I am not that experienced with PHP, but this looks like the $patterns
array got replaced instead of extended.
Nope, it doesn't. Check [1].
I see, $var[] = foo creates the array $var if necessary and appends
foo.
+ $comment = htmlspecialchars($comment);
Won't this render the next instruction useless if there are
html-characters in a link?
Nope. Links need to be escaped as well. Not sure what happens if a link
contains quotes or /. This shouldn't happen too often tho.
Imo, you should split the message at the link boundaries.
( foo , http://foo.bar.tld;, baz)
Then you should encode the html-entities in all elements, wrap the links
in a's, and then join all that together.
I can not think of a way to connect a-tags with proper encoding of
the user input using just normal string functions like replace, or
regexes.
I would be happy if you could prove the opposite, and will help by
providing you with input that breaks your system.
== example 1 ==
input: foo http://foo.tld/iLikeToUseApersands/foobar.html baz
If I am not mistaken, $regex would be
/http://foo.tld/iLikeToUseApersands/foobar.html/msS;
(are the / correctly escaped? I will assume they are.)
Then, $regex would be:
/http:\/\/foo\.tld\/iLikeToUseApersands\/foobar\.html/msS
$comment would be set by htmlspecialchars() to:
foo http://foo.tld/iLikeToUseApersands/fooamp;bar.html baz
= preg_replace_callback() would not match, as got replaced.
Generally I would not make hostnames (www.foo.tld) clickable.
If people are not able to provide proper URL's, they have a serious
problem. (there is also the technical argument that the hostname is not
a good indicator for the kind of service the host provides.)
Why not? What if you explicitly want to link to a project's home page?
It'll also just convert hostnames if they start with a www or ftp
subdomain, so comments refering to domains in other ways won't be
converted.
You can also link to a homepage using valid URL's. The additional
feature may be nice, but makes the code more complex. It also
trains users to omit the http://; and produces more work for devs,
as they all now have to parse this invalid hostname+path stuff.
Unrelated: You seem to accept only a-zA-Z in hostnames? Or does
PHP's \w include 0-9 and language-dependent letters? What about
underscores?
Why does the a's content only include the Path of the URL?
Regards, PyroPeter
--
freenode/pyropeter 12:50 - Ich drücke Return.
Re: [aur-dev] AUR update
On 09/30/2010 09:34 PM, Manuel Tortosa wrote: On Thursday 30 September 2010 19:51:12 Lukas Fleischer wrote: On Thu, Sep 30, 2010 at 11:16:55PM +0530, Gaurish Sharma wrote: OMG!! I already told Manuel about this security vulnerability yesterday [1]. He didn't seem to do anyting against it yet tho. My advice is not to include any of those patches without proper review. [1] http://mailman.archlinux.org/pipermail/aur-dev/2010-September/001242.html I tried to do something but i failed. i removed this completelly and changed all the password and so but now i'm completelly disolated.. There were no passwords in that file. (They are saved in /etc/shadow) Without that file your server won't boot. Regards, PyroPeter -- freenode/pyropeter 12:50 - Ich drücke Return.
Re: [aur-dev] [PATCH] Make external links in comments clickable (FS#20137).
On Thu, Sep 30, 2010 at 08:56:56PM +0200, PyroPeter wrote: Well, but you are encoding existing entities, that are not amp; as amp;foo;. See the example below. Yep, and that's how it's supposed to be. There shouldn't be any entities that users put in the comments and that are not encoded. I see, $var[] = foo creates the array $var if necessary and appends foo. Correct. Imo, you should split the message at the link boundaries. ( foo , http://foo.bar.tld;, baz) Then you should encode the html-entities in all elements, wrap the links in a's, and then join all that together. Yes... That would be cleaner, but also way more complicated to implement and would require huge amounts of code for making links clickable. == example 1 == input: foo http://foo.tld/iLikeToUseApersands/foobar.html baz If I am not mistaken, $regex would be /http://foo.tld/iLikeToUseApersands/foobar.html/msS; (are the / correctly escaped? I will assume they are.) Then, $regex would be: /http:\/\/foo\.tld\/iLikeToUseApersands\/foobar\.html/msS $comment would be set by htmlspecialchars() to: foo http://foo.tld/iLikeToUseApersands/fooamp;bar.html baz = preg_replace_callback() would not match, as got replaced. Why should it not work? preg_replace_callback() still matches if the URL contains a semicolon. This will be parsed and output a valid link (tested with current GIT version and patch applied). You can also link to a homepage using valid URL's. The additional feature may be nice, but makes the code more complex. It also trains users to omit the http://; and produces more work for devs, as they all now have to parse this invalid hostname+path stuff. Hm, that's a question of taste. We'll let Loui decide :p Unrelated: You seem to accept only a-zA-Z in hostnames? Or does PHP's \w include 0-9 and language-dependent letters? What about underscores? \w in perl compatible regex includes all alphanumeric characters plus the underscore (_). Why does the a's content only include the Path of the URL? It doesn't. The a/a's content contains excactly what the user typed (with special chars converted by htmlspecialchars()). Please don't just assume things but test your examples using a current GIT checkout with the patch applied in future.
