add empty protocol to link whitelist for IE relative links

alexcjohnson · alexcjohnson · commit 5d721d6f4c69 · 2017-05-23T09:53:57.000-04:00
diff --git a/src/lib/svg_text_utils.js b/src/lib/svg_text_utils.js
@@ -252,7 +252,13 @@ var TAG_CLOSE = {
     sub: '<tspan dy="-0.21em">&#x200b;</tspan>'
 };
 
-var PROTOCOLS = ['http:', 'https:', 'mailto:'];
+/*
+ * Whitelist of protocols in user-supplied urls. Mostly we want to avoid javascript
+ * and related attack vectors. The empty string is there for IE, that treats
+ * relative paths as having no protocol, while other browsers have these explicitly
+ * inherit the protocol of the page they're in.
+ */
+var PROTOCOLS = ['http:', 'https:', 'mailto:', ''];
 
 var STRIP_TAGS = new RegExp('</?(' + Object.keys(TAG_STYLES).join('|') + ')( [^>]*)?/?>', 'g');
 
