--- a/modules/pathologic/pathologic.module
+++ b/modules/pathologic/pathologic.module
@@ -288,7 +288,22 @@
  * As the Drupal core url() function doesn't support protocol-relative URLs, we
  * work around it by just creating a full URL and then running it through this
  * to strip off the protocol.
+ *
+ * We replace against $base_url (Drupal site's URL including scheme) to ensure
+ * that we don't rewrite links that point somewhere else (since url() may have
+ * returned an off-site address, etc.)
  */
 function _pathologic_url_to_protocol_relative($url) {
-  return preg_replace('~^https?://~', '//', $url);
+  $settings = &drupal_static(__FUNCTION__, array());
+  if (!isset($settings['relative_url']) || !isset($settings['absolute_url_regex'])) {
+    $relative_url = preg_replace('/^https?:/i', '', $GLOBALS['base_url']);
+    $settings['relative_url'] = $relative_url;
+    $absolute_url_regex = '/^' . preg_quote($GLOBALS['base_url'], '/') . '/i';
+    $settings['absolute_url_regex'] = $absolute_url_regex;
+  }
+  else {
+    $relative_url = $settings['relative_url'];
+    $absolute_url_regex = $settings['absolute_url_regex'];
+  }
+  return preg_replace($absolute_url_regex, $relative_url, $url);
 }