I just tried and had no problem

Use the exact link I gave in the description, it is a relative link.

I confirm the issue.
When using : in a relative link, $protocol (in that case it is dokuwiki/doku.php?id=support) does not include any of the items accepted in the $scheme array, i.e.

			$scheme   = array(
					'http', 'https', 'ftp', 'ftps', 'gopher', 'mailto',
					'news', 'prospero', 'telnet', 'rlogin', 'tn3270', 'wais',
					'mid', 'cid', 'nntp', 'tel', 'urn', 'ldap', 'file', 'fax',
					'modem', 'git', 'sms',
				);

therefore it throws the warning and returns false

See https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_menus/controllers/item.php#L331-L356

There must be a reason for this code, maybe security.

There must be a reason for this code, maybe security.

@SniperSister?

Well, it's a url field, so checking the schema against a list of allowed schemes (that was the code in question does) is a straightforward thing todo in terms of input validation

@SniperSister thanks for Comment.

@helgator

As it is quite easy to enter a non-relative url in your specific case, could you please close this Issue? (or can we?)

I know one can enter a non-relative url. But it is highly inconvenient to impossible when you have a ready made Joomla installation for your community that gets of course installed on different domains. These links have to be relative or each user has to look for the external links and customise them. That is error prone for no good reason. Why not fix the problem? After all we are not at M$ here right? :)

@helgator make a suggestion how to fix this. Disabling input validation surly isn’t a proper solution, so what would you suggest?

How about checking the scheme only when length of protocol is less than 9?

if (strlen($protocol) < 9 && !in_array($protocol, $scheme))

My suggestion: Why do we need input validation here? It is the admin who is working here.

And if you really want to validate then line 335 should be something like maybe, not sure:

if (strstr($data['link'], '://'))

My suggestion: Why do we need input validation here? It is the admin who is working here.

Joomla has a configurable ACL System, so it’s possible to give low-privilege users access to the menue manager. So it’s not only “the admin” accessing this form.

Checking for :// isn’t an option either, because the slashes aren’t part of the URL specification and not all protocols require them. Popular example are mailto links.

Okay lets call the users accessing the menu items "privileged". Should those users not be trustworthy users? Why do their inputs need to be validated?

If we think validation is necessary anyway then Im out and the code savy people have to take over.

Okay lets call the users accessing the menu items "privileged". Should those users not be trustworthy users? Why do their inputs need to be validated?

Because those users aren't trustworthy in all cases, it depends on your specific usecase. For the same reason there's input filtering in com_content article for Administrator-level users. And for the same reason we only allow superadmins to access the extension manager.

If we think validation is necessary anyway then Im out and the code savy people have to take over.

That's the key thing here, it's not a code problem, it's a question of "what is the expected behavior" and weighting security and convenience.

Im sure there is a way to reconcile the two via code.

Any progress in the JLB about this? thx

@HLeithner any Comment?

@helgator does it work if you url encode the string?

dokuwiki/doku.php?id=support%3Astart

Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/22417

Closing due to no response.

Sorry for the late reply. Because I needed a quick solution I made a html override of the menu module and hard coded my link in there. Hence never got a chance to test the url encode approach in production.

@HLeithner
Your solution works fine.