Index: includes/common.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/common.inc,v
retrieving revision 1.603
diff -u -F^f -r1.603 common.inc
--- includes/common.inc	21 Dec 2006 22:20:19 -0000	1.603
+++ includes/common.inc	30 Dec 2006 10:05:09 -0000
@@ -789,11 +789,12 @@ function valid_email_address($mail) {
  *   TRUE if the URL is in a valid format.
  */
 function valid_url($url, $absolute = FALSE) {
-  $allowed_characters = '[a-z0-9\/:_\-_\.\?\$,;~=#&%\+]';
   if ($absolute) {
-    return preg_match("/^(http|https|ftp):\/\/". $allowed_characters ."+$/i", $url);
+    // Only call the slow filter_xss_bad_protocol if $path contains a ':'.
+    return strpos($url, ':') !== FALSE && filter_xss_bad_protocol($url, FALSE) == check_plain($url);
   }
   else {
+    $allowed_characters = '[a-z0-9\/:_\-_\.\?\$,~=#&%\+]';
     return preg_match("/^". $allowed_characters ."+$/i", $url);
   }
 }
@@ -1140,8 +1141,7 @@ function url($path = NULL, $query = NULL
   }
 
   // Return an external link if $path contains an allowed absolute URL.
-  // Only call the slow filter_xss_bad_protocol if $path contains a ':'.
-  if (strpos($path, ':') !== FALSE && filter_xss_bad_protocol($path, FALSE) == check_plain($path)) {
+  if (valid_url($path, TRUE)) {
     // Split off the fragment
     if (strpos($path, '#') !== FALSE) {
       list($path, $old_fragment) = explode('#', $path, 2);