1 files changed, 12 insertions, 8 deletions

diff --git a/vendor/oojs/oojs-ui/php/Tag.php b/vendor/oojs/oojs-ui/php/Tag.php
index da8c2bfa..e5fa9df6 100644
--- a/vendor/oojs/oojs-ui/php/Tag.php
+++ b/vendor/oojs/oojs-ui/php/Tag.php
@@ -4,7 +4,7 @@ namespace OOUI;
 
 class Tag {
 
-	/* Members */
+	/* Properties */
 
 	/**
 	 * Tag name for this instance.
@@ -296,23 +296,27 @@ class Tag {
 				// reasons to ever use 'javascript:' URLs anyway.
 				$protocolWhitelist = array(
 					// Sourced from MediaWiki's $wgUrlProtocols
+					// Keep in sync with OO.ui.isSafeUrl
 					'bitcoin', 'ftp', 'ftps', 'geo', 'git', 'gopher', 'http', 'https', 'irc', 'ircs',
 					'magnet', 'mailto', 'mms', 'news', 'nntp', 'redis', 'sftp', 'sip', 'sips', 'sms', 'ssh',
 					'svn', 'tel', 'telnet', 'urn', 'worldwind', 'xmpp',
+					'(protocol-relative)', '(relative)',
 				);
 
 				// Protocol-relative URLs are handled really badly by parse_url()
 				if ( substr( $value, 0, 2 ) === '//' ) {
-					$url = "http:$value";
+					$scheme = '(protocol-relative)';
 				} else {
-					$url = $value;
+					// Must suppress warnings when the value is not a valid URL. parse_url() returns false then.
+					\MediaWiki\suppressWarnings();
+					$scheme = parse_url( $value, PHP_URL_SCHEME );
+					\MediaWiki\restoreWarnings();
+					if ( $scheme === null || ( !$scheme && substr( $value, 0, 1 ) === '/' ) ) {
+						$scheme = '(relative)';
+					}
 				}
-				// Must suppress warnings when the value is not a valid URL. parse_url() returns false then.
-				// @codingStandardsIgnoreStart
-				$scheme = @parse_url( $url, PHP_URL_SCHEME );
-				// @codingStandardsIgnoreEnd
 
-				if ( !( $scheme === null || in_array( strtolower( $scheme ), $protocolWhitelist ) ) ) {
+				if ( !in_array( strtolower( $scheme ), $protocolWhitelist ) ) {
 					throw new Exception( "Potentially unsafe '$key' attribute value. " .
 						"Scheme: '$scheme'; value: '$value'." );
 				}