From 80646ca6c84a93a20a1b26caed5f147f282d8fcf Mon Sep 17 00:00:00 2001
From: Steven Wittens <steven@10.no-reply.drupal.org>
Date: Mon, 12 Mar 2007 01:34:28 +0000
Subject: [PATCH] #105031: Allow both upper and lower case for allowed
 protocols in XSS checks.

---
 modules/filter/filter.module | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/filter/filter.module b/modules/filter/filter.module
index ac13a0e98a5..65ad16d4582 100644
--- a/modules/filter/filter.module
+++ b/modules/filter/filter.module
@@ -1475,8 +1475,9 @@ function filter_xss_bad_protocol($string, $decode = TRUE) {
       if (preg_match('![/?#]!', $protocol)) {
         break;
       }
+      // Per RFC2616, section 3.2.3 (URI Comparison) scheme comparison must be case-insensitive
       // Check if this is a disallowed protocol.
-      if (!isset($allowed_protocols[$protocol])) {
+      if (!isset($allowed_protocols[strtolower($protocol)])) {
         $string = substr($string, $colonpos + 1);
       }
     }