From 8ce4d5989a5357cd9c011ed74df8509d99a2cb53 Mon Sep 17 00:00:00 2001
From: Andrew Ruthven <andrew@etc.gen.nz>
Date: Sat, 3 May 2025 23:59:01 +1200
Subject: Improve fix to CVE-2025-30087

After releasing the fix for CVE-2025-30087, Best Practical became aware that
the new linking restrictions were too strict in some cases, causing legitimate
links to stop working. This is most pronounced for users running RTIR, where
many links stop working. This patch should resolve that.

Patch-Name: upstream_5.0.7_cve:_patchset_2025-04-11.diff
Author: Best Practical <support@bestpractical.com>
Forwarded: not-needed
Applied: 5.0.8
---
 lib/RT/Interface/Web/Scrubber/Restrictive.pm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/RT/Interface/Web/Scrubber/Restrictive.pm b/lib/RT/Interface/Web/Scrubber/Restrictive.pm
index aecfca88..3cfd3d2c 100644
--- a/lib/RT/Interface/Web/Scrubber/Restrictive.pm
+++ b/lib/RT/Interface/Web/Scrubber/Restrictive.pm
@@ -92,13 +92,14 @@ Passed to L<HTML::Scrubber/rules>.
 
 our %RULES = (
     a => {
+        %RT::Interface::Web::Scrubber::ALLOWED_ATTRIBUTES,
         $RT::Interface::Web::Scrubber::RULES{a} ? %{ $RT::Interface::Web::Scrubber::RULES{a} } : (),
         href => sub {
             my ( $self, $tag, $attr, $href ) = @_;
             return $href unless $href;
 
             # Allow internal RT macros like __WebPath__, etc.
-            return $href if $href =~ qr{^(?:/|__Web(?:Path|HomePath|BaseURL|URL)__)}i;
+            return $href if $href !~ /^\w+:/ && $href =~ $RT::Interface::Web::Scrubber::ALLOWED_ATTRIBUTES{'href'};
 
             my $uri = URI->new($href);
             unless ( $uri->can("host") && $uri->host ) {