Remove protocolForURL monkeypatch

The DOM helper used to require a specially patched version of
`protocolForURL` to work in Node. This commit:

1) Adds a test to verify attributes are correctly sanitized in Node
2) Removes the monkeypatch

tests/node/helpers/app-module.js

@@ -9,7 +9,6 @@ var emberPath = path.join(distPath, 'ember.debug.cjs');
 var templateCompilerPath = path.join(distPath, 'ember-template-compiler');
 var features = require(path.join(__dirname, '../../../features.json')).features;
 var SimpleDOM = require('simple-dom');
-var URL = require('url');
 
 /*
  * This helper sets up a QUnit test module with all of the environment and
@@ -101,11 +100,6 @@ module.exports = function(moduleName) {
       // TODO: REMOVE ME
 
       // Patch DOMHelper
-      Ember.HTMLBars.DOMHelper.prototype.protocolForURL = function(url) {
-        var protocol = URL.parse(url).protocol;
-        return (protocol == null) ? ':' : protocol;
-      };
-
       Ember.HTMLBars.DOMHelper.prototype.setMorphHTML = function(morph, html) {
         var section = this.document.createRawHTMLSection(html);
         morph.setNode(section);

tests/node/visit-test.js

@@ -128,6 +128,24 @@ QUnit.test('FastBoot: redirect', function(assert) {
   ]);
 });
 
+QUnit.test('FastBoot: attributes are sanitized', function(assert) {
+  this.template('application', '<a href={{test}}></a>');
+
+  this.controller('application', {
+    /*jshint scripturl:true*/
+    test: 'javascript:alert("hello")'
+  });
+
+  var App = this.createApplication();
+
+  return RSVP.all([
+    fastbootVisit(App, '/').then(
+      assertFastbootResult(assert, { url: '/', body: '<a href="unsafe:javascript:alert\\(&quot;hello&quot;\\)"></a>' }),
+      handleError(assert)
+    )
+  ]);
+});
+
 QUnit.test('FastBoot: route error', function(assert) {
   this.routes(function() {
     this.route('a');