From 66d59bcba77aeca2bf3beca60562b350e35fbf79 Mon Sep 17 00:00:00 2001
From: Avital Oliver <avital@thewe.net>
Date: Thu, 18 Feb 2016 18:40:43 -0800
Subject: [PATCH] Improve Blaze automatic URLs blocking

Now also blocks against `vbscript:` URLs in addition to `javascript:` URLs
---
 History.md              | 3 +++
 packages/blaze/attrs.js | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/History.md b/History.md
index 087e06ab36..0ff1f7c3cc 100644
--- a/History.md
+++ b/History.md
@@ -95,6 +95,9 @@
 * Don't throw in certain cases when calling a template helper with an
   empty data context. #5411 #5736
 
+* Improve automatic blocking of URLs in attribute values to also
+  include `vbscript:` URLs.
+
 ### Testing
 
 * Packages can now be marked as `testOnly` to only run as part of app
diff --git a/packages/blaze/attrs.js b/packages/blaze/attrs.js
index 1349d1f935..427f9cf8ec 100644
--- a/packages/blaze/attrs.js
+++ b/packages/blaze/attrs.js
@@ -267,8 +267,9 @@ var UrlHandler = AttributeHandler.extend({
       origUpdate.apply(self, args);
     } else {
       var isJavascriptProtocol = (getUrlProtocol(value) === "javascript:");
-      if (isJavascriptProtocol) {
-        Blaze._warn("URLs that use the 'javascript:' protocol are not " +
+      var isVBScriptProtocol   = (getUrlProtocol(value) === "vbscript:");
+      if (isJavascriptProtocol || isVBScriptProtocol) {
+        Blaze._warn("URLs that use the 'javascript:' or 'vbscript:' protocol are not " +
                     "allowed in URL attribute values. " +
                     "Call Blaze._allowJavascriptUrls() " +
                     "to enable them.");