Limits the schemes that inline images can use (#22926).

git-svn-id: http://svn.redmine.org/redmine/trunk@15433 e93f8b46-1217-0410-a6f0-8f06a7374b81

Author: jplang

lib/redcloth3.rb

@@ -165,6 +165,7 @@
 #  class RedCloth::Textile.new( str )
 
 class RedCloth3 < String
+    include Redmine::Helpers::URL
 
     VERSION = '3.0.4'
     DEFAULT_RULES = [:textile, :markdown]
@@ -960,6 +961,8 @@ def inline_textile_image( text )
             href, alt_title = check_refs( href ) if href
             url, url_title = check_refs( url )
 
+            return m unless uri_with_safe_scheme?(url)
+
             out = ''
             out << "<a#{ shelve( " href=\"#{ href }\"" ) }>" if href
             out << "<img#{ shelve( atts ) } />"

lib/redmine/wiki_formatting/markdown/formatter.rb

@@ -43,6 +43,12 @@ def block_code(code, language)
             "<pre>" + CGI.escapeHTML(code) + "</pre>"
           end
         end
+
+        def image(link, title, alt_text)
+          return unless uri_with_safe_scheme?(link)
+
+          tag('img', :src => link, :alt => alt_text || "", :title => title)
+        end
       end
 
       class Formatter