Could we make it just not work?
I.e., treat a package: URI as a special kind of URI, not just as a shorthand for a file: URI. Then "package:<packageName>/<absolutePath>" would be the required format, and it would simply not be allowed to reach outside of "lib/packageName".

If we just transform it to a file URI blindly, then all kinds of hackery is possible, so the safest thing is to just not do that.

That makes sense to me. Are there issues open for VM and dart2js to disallow this situation?

Added this to the M5 milestone.

Added Editor-AnalysisEngine label.

Removed Editor-AnalysisEngine label.

Has there been any progress on this issue? We need to be consistent with dart2js and the VM.

Set owner to @danrubel.

https://codereview.chromium.org/15736020/

Added Started label.

Removed this from the M5 milestone.
Added this to the M6 milestone.

Removed this from the M6 milestone.
Added this to the M7 milestone.

Removed this from the M7 milestone.
Added this to the M8 milestone.

Removed this from the M8 milestone.
Added this to the Later milestone.

Removed this from the Later milestone.
Added Oldschool-Milestone-Later label.

Added NotPlanned label.

This was miscategerized as an editor issue... reopening and moving to analyzer

Removed Area-Editor, Oldschool-Milestone-Later labels.
Added Area-Analyzer, Triaged labels.

Added Analyzer-Hint label.

Related https://code.google.com/p/dart/issues/detail?id=22079