diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index bcf59efb152..d701062b899 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -1034,10 +1034,11 @@ function clean_param($param, $type) {
             }
             return $param;
 
-        case PARAM_URL:          // Allow safe ftp, http, mailto urls.
+        case PARAM_URL:
+            // Allow safe urls.
             $param = fix_utf8($param);
             include_once($CFG->dirroot . '/lib/validateurlsyntax.php');
-            if (!empty($param) && validateUrlSyntax($param, 's?H?S?F?E?u-P-a?I?p?f?q?r?')) {
+            if (!empty($param) && validateUrlSyntax($param, 's?H?S?F?E-u-P-a?I?p?f?q?r?')) {
                 // All is ok, param is respected.
             } else {
                 // Not really ok.
diff --git a/lib/tests/moodlelib_test.php b/lib/tests/moodlelib_test.php
index 6c66e9a95f7..d3148878d28 100644
--- a/lib/tests/moodlelib_test.php
+++ b/lib/tests/moodlelib_test.php
@@ -615,6 +615,9 @@ class core_moodlelib_testcase extends advanced_testcase {
         $this->assertSame('', clean_param('rtmp://example.com/livestream', PARAM_URL));
         $this->assertSame('', clean_param('rtmp://example.com/live&foo', PARAM_URL));
         $this->assertSame('', clean_param('rtmp://example.com/fms&mp4:path/to/file.mp4', PARAM_URL));
+        $this->assertSame('', clean_param('mailto:support@moodle.org', PARAM_URL));
+        $this->assertSame('', clean_param('mailto:support@moodle.org?subject=Hello%20Moodle', PARAM_URL));
+        $this->assertSame('', clean_param('mailto:support@moodle.org?subject=Hello%20Moodle&cc=feedback@moodle.org', PARAM_URL));
     }
 
     public function test_clean_param_localurl() {