From c445b571349b4584cd5653e030cc7f370fd473ef Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Mon, 21 Apr 2014 22:11:02 -0700
Subject: [PATCH] Avoid relying on HTMLAnchorElement.protocol; browser support
 not clear.

Also avoid url.format, since we don't actually need server-side URL
normalization yet and it's not clear what, if any, normalization
url.format does.
---
 packages/ui/attrs.js | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/packages/ui/attrs.js b/packages/ui/attrs.js
index 8a5bae05b5..7961c60337 100644
--- a/packages/ui/attrs.js
+++ b/packages/ui/attrs.js
@@ -205,13 +205,12 @@ if (Meteor.isClient) {
   var anchorForNormalization = document.createElement('A');
 }
 
-var getProtocol = function (url) {
+var normalizeUrl = function (url) {
   if (Meteor.isClient) {
     anchorForNormalization.href = url;
-    return anchorForNormalization.protocol;
+    return anchorForNormalization.href;
   } else {
-    var parsed = Npm.require('url').parse(url);
-    return parsed.protocol;
+    throw new Error('normalizeUrl not implemented on the server');
   }
 };
 
@@ -233,7 +232,8 @@ var UrlHandler = AttributeHandler.extend({
     if (UI._javascriptUrlsAllowed()) {
       origUpdate.apply(self, args);
     } else {
-      var isJavascriptProtocol = (getProtocol(value) === 'javascript:');
+      var isJavascriptProtocol =
+            (normalizeUrl(value).indexOf('javascript:') === 0);
       if (isJavascriptProtocol) {
         Meteor._debug("javascript: URLs are not allowed. " +
                       "Use UI._allowJavascriptUrls() to enable them.");