Works fine here - can anybody else duplicate?

seems to be fine with me in this moment, I tried cleanzero, diabook with Iron Browser(chromium) and FF

@Eros Zabeo , se tu usi un'immagine al posto di un link-sito ti da quel problema lí (es. pinocchio http://s3.amazonaws.com/rapgenius/pinocchio1.gif), ma nel caso specifico dovresti usare il 'pulsantino' img. e non quello che dici tu, se tu invece usi un link che ti porta a un sito (tipo che so https://www.dropbox.com/ ) allora funziona bene con quello, prova tu stesso e poi facci sapere, penso sia questo il tuo problema

It also might be specific urls triggering it, not just the http/https scheme but specific websites.

my problem wasn't with an image, I tryied with https://vimeo.com and didn't work. now I'm with the android app, I will try later

vimeo has oembed, which is often a bit more complicated than a regular link. Anybody want to give it a whirl? I'm a bit over loaded at the moment.

as a sidenote I can say that using the same procedure the link http://vimeo.com was working correctly, I have had problems just with the https link

I just made a fix and did a pull request for that.

I was able to duplicate that link and @Michael Vogel 's patch fixed it.

@Michael Vogel looks like my github comment didn't make it. In order to provide styling in bbcode, please block microsoft's stylesheet js eval mechanism (I forget the exact syntax, but you should be able to google it). One can inject XSS into style blocks.

ditto for url()

@Mike the Friendican I will check it when I"m back home.

@Mike the Friendican Doesn't the same problem exists with "color" and "size"?

Right. Yes it probably does. I think if we disallow parens () for any user-supplied css params (including color and size) it should be safe. Though that doesn't let one set a background image - which might be interesting.

Yesterday I built a routine that removes all characters despite the ones that you want. In this case: "a" to "z", "0" to "9", ":", ";", "#" and "-". This should allow most stuff.