--- includes/common.inc	2006-09-01 17:00:06.000000000 +0800
+++ includes/common.inc	2006-09-05 09:51:03.000000000 +0800
@@ -694,11 +694,12 @@ function valid_email_address($mail) {
  *   TRUE if the URL is in a valid format.
  */
 function valid_url($url, $absolute = FALSE) {
-  $allowed_characters = '[a-z0-9\/:_\-_\.\?\$,~=#&%\+]';
   if ($absolute) {
-    return preg_match("/^(http|https|ftp):\/\/". $allowed_characters ."+$/i", $url);
+    // Only call the slow filter_xss_bad_protocol if $path contains a ':'.
+    return strpos($url, ':') !== FALSE && filter_xss_bad_protocol($url, FALSE) == check_plain($url);
   }
   else {
+    $allowed_characters = '[a-z0-9\/:_\-_\.\?\$,~=#&%\+]';
     return preg_match("/^". $allowed_characters ."+$/i", $url);
   }
 }
@@ -1024,8 +1025,7 @@ function url($path = NULL, $query = NULL
   }
 
   // Return an external link if $path contains an allowed absolute URL.
-  // Only call the slow filter_xss_bad_protocol if $path contains a ':'.
-  if (strpos($path, ':') !== FALSE && filter_xss_bad_protocol($path, FALSE) == check_plain($path)) {
+  if (valid_url($path, TRUE)) {
     // Split off the fragment
     if (strpos($path, '#')) {
       list($path, $old_fragment) = explode('#', $path, 2);