From 872c5d0f2a9a8f5c07fc8198533b5a501c9a4219 Mon Sep 17 00:00:00 2001
From: straker <stevenlambert503@gmail.com>
Date: Fri, 3 Feb 2017 15:42:14 -0700
Subject: [PATCH] fix URL contextual auto-escapping preventing good URL
 protocols

---
 index.js         |  2 +-
 test/xss.test.js | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/index.js b/index.js
index b72c063..8fd67d1 100644
--- a/index.js
+++ b/index.js
@@ -306,7 +306,7 @@ if (typeof window.html === 'undefined') {
                   // the entire url (will not allow any 'javascript:' or filter
                   // evasion techniques)
                   if (offset === 0 && substitutionValue.indexOf(':') !== -1) {
-                    let protocol = substitutionValue.substring(index-5, index);
+                    let protocol = substitutionValue.substring(0, 5);
                     if (protocol.indexOf('http') === -1) {
                       isRejected = true;
                     }
diff --git a/test/xss.test.js b/test/xss.test.js
index 232a2d2..bf42a5a 100644
--- a/test/xss.test.js
+++ b/test/xss.test.js
@@ -151,4 +151,17 @@ describe('XSS Attack Vectors', function() {
     expect(el.getAttribute('href').indexOf('/bar')).to.equal(-1);
   });
 
+  it('should allow a URL if it has a safe protocol', function() {
+    var protocol = 'http://localhost:500';
+    var value = '/foo?id=true';
+    var el = html`<a href="${protocol}/bar${value}">`;
+
+    expect(el.getAttribute('href')).to.equal('http://localhost:500/bar/foo?id=true');
+
+    var protocol = 'https://localhost:500';
+    var el = html`<a href="${protocol}/bar${value}">`;
+
+    expect(el.getAttribute('href')).to.equal('https://localhost:500/bar/foo?id=true');
+  });
+
 });