id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc	difficulty
3747	forward() allows for only http/https URLs	jricher		"The core function forward() prepends the site root to any inputs that don't start with http: or https:

While the intent of this is clear (give an unambiguous redirection for relative URLs), this falls apart when trying to redirect to a valid, absolute, and non-http URL. Examples of this usage include doing application level callbacks on a mobile device (app://parameter) or directing an action to content on an external non-http server, such as FTP.

The easiest fix for 1.7 would be to add an optional flag to the forward() call which would bypass the http:// check when set. A deeper fix would be to gut the forward() function's check and replace it with better filter logic."	Defect	closed	normal	Elgg 1.8.1	Core	1.7	minor	fixed	redirect, forward, location, http	brett@…