=== modified file 'includes/common.inc'
--- includes/common.inc	
+++ includes/common.inc	
@@ -646,11 +646,12 @@
  *   TRUE if the URL is in a valid format.
  */
 function valid_url($url, $absolute = FALSE) {
-  $allowed_characters = '[a-z0-9\/:_\-_\.\?\$,~=#&%\+]';
   if ($absolute) {
-    return preg_match("/^(http|https|ftp):\/\/". $allowed_characters ."+$/i", $url);
+    // Only call the slow filter_xss_bad_protocol if $path contains a ':'.
+    return strpos($path, ':') !== FALSE && filter_xss_bad_protocol($path, FALSE) == check_plain($path);
   }
   else {
+    $allowed_characters = '[a-z0-9\/:_\-_\.\?\$,~=#&%\+]';
     return preg_match("/^". $allowed_characters ."+$/i", $url);
   }
 }
@@ -959,8 +960,7 @@
   }
 
   // Return an external link if $path contains an allowed absolute URL.
-  // Only call the slow filter_xss_bad_protocol if $path contains a ':'.
-  if (strpos($path, ':') !== FALSE && filter_xss_bad_protocol($path, FALSE) == check_plain($path)) {
+  if (valid_url($path, TRUE)) {
     // Split off the fragment
     if (strpos($path, '#')) {
       list($path, $old_fragment) = explode('#', $path, 2);