diff -ur phpBB2.orig/includes/bbcode.php phpBB2/includes/bbcode.php
--- phpBB2.orig/includes/bbcode.php	2006-06-09 16:29:41.000000000 +0200
+++ phpBB2/includes/bbcode.php	2006-07-03 13:26:27.000000000 +0200
@@ -194,13 +194,17 @@
 	$patterns = array();
 	$replacements = array();
 
+ 	// These are the URL schemas we trust to be safe. This is to prevent
+ 	// cross side scripting with javascript:, chrome: etc urls.
+ 	$allowed_urlschemas = '(?:http|https|ftp|news|nntp|telnet|gopher|mailto)';
+
 	// [img]image_url_here[/img] code..
 	// This one gets first-passed..
-	$patterns[] = "#\[img:$uid\]([^?](?:[^\[]+|\[(?!url))*?)\[/img:$uid\]#i";
+	$patterns[] = "#\[img:$uid\]($allowed_urlschemas://[^ \"\n\r\t<]*?)\[/img:$uid\]#si";
 	$replacements[] = $bbcode_tpl['img'];
 
 	// matches a [url]xxxx://www.phpbb.com[/url] code..
-	$patterns[] = "#\[url\]([\w]+?://([\w\#$%&~/.\-;:=,?@\]+]+|\[(?!url=))*?)\[/url\]#is";
+	$patterns[] = "#\[url\]($allowed_urlschemas://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\[/url\]#is";
 	$replacements[] = $bbcode_tpl['url1'];
 
 	// [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
@@ -208,7 +212,7 @@
 	$replacements[] = $bbcode_tpl['url2'];
 
 	// [url=xxxx://www.phpbb.com]phpBB[/url] code..
-	$patterns[] = "#\[url=([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\]([^?\n\r\t].*?)\[/url\]#is";
+	$patterns[] = "#\[url=($allowed_urlschemas://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\]([^?\n\r\t].*?)\[/url\]#is";
 	$replacements[] = $bbcode_tpl['url3'];
 
 	// [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).