moar "no protocol" values for even more IE dialects

alexcjohnson · alexcjohnson · commit b5f5168edb4e · 2017-05-23T15:00:22.000-04:00
diff --git a/src/lib/svg_text_utils.js b/src/lib/svg_text_utils.js
@@ -254,11 +254,11 @@ var TAG_CLOSE = {
 
 /*
  * Whitelist of protocols in user-supplied urls. Mostly we want to avoid javascript
- * and related attack vectors. The empty string is there for IE, that treats
- * relative paths as having no protocol, while other browsers have these explicitly
- * inherit the protocol of the page they're in.
+ * and related attack vectors. The empty items are there for IE, that in various
+ * versions treats relative paths as having different flavors of no protocol, while
+ * other browsers have these explicitly inherit the protocol of the page they're in.
  */
-var PROTOCOLS = ['http:', 'https:', 'mailto:', ''];
+var PROTOCOLS = ['http:', 'https:', 'mailto:', '', undefined, ':'];
 
 var STRIP_TAGS = new RegExp('</?(' + Object.keys(TAG_STYLES).join('|') + ')( [^>]*)?/?>', 'g');
 
