From 94f95ece3af7a4f70e0f1a419287c2cd2bd64fcf Mon Sep 17 00:00:00 2001
From: Daniel Freedman <dfreedm@google.com>
Date: Fri, 29 Jul 2016 11:11:56 -0700
Subject: [PATCH] Do not resolve urls with leading slash and other prototcols

Fixes #2448
---
 src/lib/resolve-url.html               | 17 +++++++++--------
 test/unit/resolveurl.html              |  2 ++
 test/unit/sub/resolveurl-elements.html |  2 ++
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/lib/resolve-url.html b/src/lib/resolve-url.html
index 6f365f5454..8fc464dab6 100644
--- a/src/lib/resolve-url.html
+++ b/src/lib/resolve-url.html
@@ -11,17 +11,17 @@
 
   (function() {
 
-    // path fixup for urls in cssText that's expected to 
+    // path fixup for urls in cssText that's expected to
     // come from a given ownerDocument
     function resolveCss(cssText, ownerDocument) {
       return cssText.replace(CSS_URL_RX, function(m, pre, url, post) {
-        return pre + '\'' + 
-          resolve(url.replace(/["']/g, ''), ownerDocument) + 
+        return pre + '\'' +
+          resolve(url.replace(/["']/g, ''), ownerDocument) +
           '\'' + post;
       });
     }
 
-    // url fixup for urls in an element's attributes made relative to 
+    // url fixup for urls in an element's attributes made relative to
     // ownerDoc's base url
     function resolveAttrs(element, ownerDocument) {
       for (var name in URL_ATTRS) {
@@ -41,10 +41,10 @@
     }
 
     function resolve(url, ownerDocument) {
-      // do not resolve '#' links, they are used for routing
-      if (url && url[0] === '#') {
+      // do not modify absolute urls
+      if (url && ABS_URL.test(url)) {
         return url;
-      }      
+      }
       var resolver = getUrlResolver(ownerDocument);
       resolver.href = url;
       return resolver.href || url;
@@ -63,7 +63,7 @@
     }
 
     function getUrlResolver(ownerDocument) {
-      return ownerDocument.__urlResolver || 
+      return ownerDocument.__urlResolver ||
         (ownerDocument.__urlResolver = ownerDocument.createElement('a'));
     }
 
@@ -72,6 +72,7 @@
       '*': ['href', 'src', 'style', 'url'],
       form: ['action']
     };
+    var ABS_URL = /(^\/)|(^#)|(^[\w-\d]*:)/;
     var BINDING_RX = /\{\{|\[\[/;
 
     // exports
diff --git a/test/unit/resolveurl.html b/test/unit/resolveurl.html
index b0b467a726..010c9c8fca 100644
--- a/test/unit/resolveurl.html
+++ b/test/unit/resolveurl.html
@@ -45,6 +45,8 @@
         assert.equal(el.$.action.getAttribute('action'), 'foo.z', 'action attribute relativized for incorrect element type');
         assert.match(el.$.formAction.action, rx, 'action attribute relativized for incorrect element type');
         assert.equal(el.$.hash.getAttribute('href'), '#foo.z', 'hash-only url should not be resolved');
+        assert.equal(el.$.absolute.getAttribute('href'), '/foo.z', 'absolute urls should not be resolved');
+        assert.equal(el.$.protocol.getAttribute('href'), 'data:foo.z', 'urls with other protocols should not be resolved');
       });
 
       test('resolveUrl api', function() {
diff --git a/test/unit/sub/resolveurl-elements.html b/test/unit/sub/resolveurl-elements.html
index 2aeef15d43..1fab8e53b4 100644
--- a/test/unit/sub/resolveurl-elements.html
+++ b/test/unit/sub/resolveurl-elements.html
@@ -23,6 +23,8 @@
     <a id="action" action="foo.z">Foo</a>
     <form id="formAction" action="foo.z"></form>
     <a id="hash" href="#foo.z">Foo</a>
+    <a id="absolute" href="/foo.z">Foo</a>
+    <a id="protocol" href="data:foo.z">Foo</a>
   </template>
 </dom-module>
 <script>