From caf2b9b1683744a655687ad79a0aab62e26d5b88 Mon Sep 17 00:00:00 2001
From: rootvector2 <dxbnaveed.k@gmail.com>
Date: Fri, 29 May 2026 19:24:04 +0530
Subject: [PATCH] strip ascii tab/newline from urls before protocol check

---
 packages/@glimmer/runtime/lib/dom/sanitized-values.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/packages/@glimmer/runtime/lib/dom/sanitized-values.ts b/packages/@glimmer/runtime/lib/dom/sanitized-values.ts
index a5203749453..cd27d293dd0 100644
--- a/packages/@glimmer/runtime/lib/dom/sanitized-values.ts
+++ b/packages/@glimmer/runtime/lib/dom/sanitized-values.ts
@@ -63,7 +63,11 @@ function findProtocolForURL() {
       let protocol = null;
 
       if (typeof url === 'string') {
-        protocol = nodeURL.parse(url).protocol;
+        // browsers strip ASCII tab/newline/CR from urls before navigating, so
+        // `java\nscript:` runs as `javascript:`. `url.parse` keeps them and reports
+        // a null protocol, slipping past the badProtocols check. Strip them here to
+        // match the WHATWG `URL` parser used on the non-fastboot path.
+        protocol = nodeURL.parse(url.replace(/[\t\n\r]/gu, '')).protocol;
       }
 
       return protocol === null ? ':' : protocol;