I could not agree more with this response.
For my part, I would only be interested in passing ftp:// http:// and
https:// url's, with webbugs removed, and possibly dangerous http:// url's
cleaned up.
What about adding capability for a regular expression list, analagous to
the "file_list_#" list in the sanitizer.cfg.
Something like a url_policy_list.
I can't think of doing anything, but defanging a url (you can't scan it,
and it doesn't seem like a good idea to remove it), but this would give
the flexability to let the admin choose what is acceptable. Also,
specific types of url's could then be easily blocked without needing a
patch later.
One such example is http://######## url's. They include a hex format of
an IP address, and are pretty much only used for obfuscating the location
that the user is being taken to.
Also, url's which include an @ sign can be used to obfuscate the real
location.
e.g.: http://www.paypal.com/login.cgi?this_means_nothing@IP_ADDRESS
Attachments:
+ http://mailtools.anomy.net/archives/anomy-list//14/e3/3d888def/01.unnamed.html