1 files changed, 30 insertions, 3 deletions

diff --git a/js/lib/elgglib.js b/js/lib/elgglib.js
index d963a62be..caef4d0f1 100644
--- a/js/lib/elgglib.js
+++ b/js/lib/elgglib.js
@@ -250,8 +250,35 @@ elgg.normalize_url = function(url) {
 	url = url || '';
 	elgg.assertTypeOf('string', url);
 
-	// jslint complains if you use /regexp/ shorthand here... ?!?!
-	if ((new RegExp("^(https?:)?//", "i")).test(url)) {
+	validated = (function(url){
+		url = elgg.parse_url(url);
+		if(url.scheme){
+			url.scheme = url.scheme.toLowerCase();
+		}
+		if(url.scheme == 'http' || url.scheme == 'https') {
+			if(!url.host) {
+				return false;
+			}
+			/* hostname labels may contain only alphanumeric characters, dots and hypens. */
+			if(!(new RegExp("^([a-zA-Z0-9][a-zA-Z0-9\\-\\.]*)$", "i")).test(url.host) || url.host.charAt(-1) == '.'){
+				return false;
+			}
+		}
+		/* some schemas allow the host to be empty */
+		if (!url.scheme || !url.host && url.scheme != 'mailto' && url.scheme != 'news' && url.scheme != 'file') {
+			return false;
+		}
+		return true;
+	})(url);
+
+	// all normal URLs including mailto:
+	if (validated) {		
+		return url;
+	}
+
+	// '//example.com' (Shortcut for protocol.)
+	// '?query=test', #target
+	else if ((new RegExp("^(\\#|\\?|//)", "i")).test(url)) {
 		return url;
 	}
 
@@ -569,4 +596,4 @@ elgg.initWhenReady = function() {
 		elgg.trigger_hook('init', 'system');
 		elgg.trigger_hook('ready', 'system');
 	}
-};
\ No newline at end of file
+};