Mark, you're correct. You did find a bug.

UBB.threads was attempting to add URL BBCode around the outside of non-acceptable URL protocols. The bug seems to have existed for most of the 7.5.x series of UBB.threads. I've made the corrections to the code and now only the three acceptable protocols will be parsed. These corrections will be available in 7.6.0+

Thanks for the good find!


For security, the protocols accepted by the [url] tag will only accept local (relative) URLs, and URLs that use the http:, https:, or ftp: protocols. In particular, it will not accept any URL that uses protocols such as the javascript: protocol. This limitation is for security reasons, and can prevent code injection on your site. This includes any non-standard usage of the protocol format, such as chrome:, and about:.

isaac @ // my forum @
a current developer of UBB.threads php forum software // 7.6.2 Released