Index: openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl,v
diff -u -r1.109.2.47 -r1.109.2.48
--- openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl	20 Nov 2023 15:04:35 -0000	1.109.2.47
+++ openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl	16 Feb 2024 11:38:28 -0000	1.109.2.48
@@ -1728,12 +1728,28 @@
                             continue
                         }
 
+                        #
+                        # Try to detect malicious attempts to
+                        # "disguise" a protocol by quoting the
+                        # colon character.
+                        #
+                        # The : entity is currently not
+                        # automatically unquoted by tDOM, so we
+                        # replace it manually. This may go away at
+                        # some point.
+                        #
+                        # See
+                        # http://tdom.org/index.html/tktview/d59ea07e74a1903435a947862dd7acd74a4eb92e
+                        #
+                        set url [string map {: :} $url]
+
                         set proto ""
                         try {
                             set parsed_url [ns_parseurl $url]
                             if {[dict exists $parsed_url proto]} {
                                 set proto [dict get $parsed_url proto]
                             }
+
                         } on error {errorMsg} {
                             ns_log warning "ad_dom_sanitize_html cannot parse URL '$url': $errorMsg"
                             #