diff --git a/test/controllers.js b/test/controllers.js
index 6f51ebf1ea..04343b6d18 100644
--- a/test/controllers.js
+++ b/test/controllers.js
@@ -216,7 +216,7 @@ describe('Controllers', function () {
 	});
 
 	it('should load /outgoing?url=<url>', function (done) {
-		request(nconf.get('url') + '/outgoing?url=http//youtube.com', function (err, res, body) {
+		request(nconf.get('url') + '/outgoing?url=http://youtube.com', function (err, res, body) {
 			assert.ifError(err);
 			assert.equal(res.statusCode, 200);
 			assert(body);
@@ -233,6 +233,15 @@ describe('Controllers', function () {
 		});
 	});
 
+	it('should 404 on /outgoing with javascript: protocol', function (done) {
+		request(nconf.get('url') + '/outgoing?url=javascript:alert(1);', function (err, res, body) {
+			assert.ifError(err);
+			assert.equal(res.statusCode, 404);
+			assert(body);
+			done();
+		});
+	});
+
 	it('should load /tos', function (done) {
 		meta.config.termsOfUse = 'please accept our tos';
 		request(nconf.get('url') + '/tos', function (err, res, body) {