id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,difficulty
3747,forward() allows for only http/https URLs,jricher,,"The core function forward() prepends the site root to any inputs that don't start with http: or https:

While the intent of this is clear (give an unambiguous redirection for relative URLs), this falls apart when trying to redirect to a valid, absolute, and non-http URL. Examples of this usage include doing application level callbacks on a mobile device (app://parameter) or directing an action to content on an external non-http server, such as FTP.

The easiest fix for 1.7 would be to add an optional flag to the forward() call which would bypass the http:// check when set. A deeper fix would be to gut the forward() function's check and replace it with better filter logic.",Defect,closed,normal,Elgg 1.8.1,Core,1.7,minor,fixed,"redirect, forward, location, http",brett@…,