TLWSD -- Primitive XSS Filter for URLs

<?
// REQUESTING COMMENTS AND CRITICISMS!
function removeXSS($in) {
  // Experimental feature. Add/remove XSS filters if new attack vectors are discovered.

  // First, grab the protocol and store it.
  preg_match('/^(https|http|ftp|irc):\/\/(.*)/', $in, $matches); // Whitelist
  if(empty($matches)) return null; // Not matched to a URL
  $protocol = $matches[1];

  // We'll keep the rest of the string here, for filtering:
  $in = $matches[2];

  /*

  // Replace what we don't want to have in a URL
  $in = str_replace('&', '&amp;', $in);
  $in = str_replace('\\', '\\\\', $in);
  $in = str_replace('<', '&lt;', $in);
  $in = str_replace('"', '&quot;', $in);
  $in = str_replace(':', '&#58;', $in);
  $in = str_replace("'", "\\'", $in);
  $in = str_replace('>', '&gt;', $in);
  $in = preg_replace('/([^\x20-\x7F]+)/', '', $in); // Remove non-ASCII chars
                                                    // and whitespace!
  */
  $in = preg_replace_callback('/([^\x20\x25\x2E\x2F-\x39\x3F-\x5A\x5F\x61-\x7A])/', function($reg) {
    return '%'.str_pad(
      hexdec(ord($reg[1]), 2, '0', STR_PAD_LEFT)
    );
  },$in);
  $in = htmlspecialchars($in, ENT_QUOTES | ENT_HTML5, 'UTF-8');

  // You can replace this with a call to HTMLPurifier in your implementation;
  // I haven't had the time to research XSS filters so I'm employing a basic one
  // until my circumstances change.

  // If anyone wants to submit some XSS proof-of-concept code, I encourage you
  // to publish it openly as soon as you find it and just tweet me in the public
  // disclosure. Due credit will be given ;)
  return $protocol.'://'.$in;
}
/*                                    --@RiptideTempora */
?>