Bug 616: URL-to-link in message.php3

[Brent J. Nordquist]

The bug author summarizes this really well, so I'm just going to quote:

> the routine used to generate hot links in e-mail messages does not
> handle URL strings with common operators properly. for instance, mail
> the following url to yourself:
>
> http://whois.nic.or.kr/cgi-bin/newwhois.cgi?VALUE=216.244.174.242&TYPE=++
>
> note that the '++' at the end is not included in the link.
>
> a *quick look* makes me think the culprit is here in the replace:
>
> $tmsg = preg_replace('|(\w+)://([^\s"<]*)([\w#?/&=])|', '<A href="\1://\2\3" target="_blank">\1://\2\3</A>', $tmsg);
>
> (imp/message.php3 line 113)

He's right.  You can see that pattern \3 is only pulling in a specific
list of characters.  I could add "+" to that list, but that then this may
come up again.  I was afraid to make it completely liberal (all
non-whitespace) because I suspect it was done this way for a
reason (security?).

Thoughts on what the "right" solution is?  Thanks.

P.S. I have a test page http://kepler.acns.bethel.edu/~bjn/test616.php3
that shows the problem.

-- 
Brent J. Nordquist <bjn@horde.org>
Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942