Holger Just wrote in #note-2:
Your patch does (probably?) not solve the underlying issue and is at the wrong place.
uri_with_safe_scheme?is intended to validate the schemes of URLs of e.g.<img>tags or other resources which cause the browser to load them directly. The correct method to use for links would beuri_with_link_safe_scheme?instead.With that being said,
uri_with_safe_scheme?is the oldest of these related methods and its semantics have changed slightly over time. It might be that this method is sill erroneously used in places whereuri_with_link_safe_scheme?should be used instead.In any case, please also provide some tests for changed behavior. This is especially important here since these changes may cause new XSS vulnerabilities in Redmine if we are not careful.
The propsed change is only meant for providing the ability of creating links for phone numbers in custom fields. It's solving the issue as the method uri_with_link_safe_scheme? whitelists the allowed protocols for links and is used by source:trunk/lib/redmine/field_format.rb#L217. I've tested the solution and it's working in my dev environment. The patch just adds the :tel scheme to the list. Attached is a patch for extending the existing unit test of the proposed change.
