fix: Add Url validation in Anchor and Page#open

[TatuLund]

No description provided.

[github-actions]

Test Results

 1 410 files  ±0   1 410 suites  ±0   1h 20m 45s ⏱️ +40s
10 160 tests ±0  10 091 ✅ ±0  69 💤 ±0  0 ❌ ±0 
10 635 runs  ±0  10 564 ✅ ±0  71 💤 ±0  0 ❌ ±0 

Results for commit bf87464. ± Comparison against base commit 1a88177.

♻️ This comment has been updated with latest results.

[knoobie]

This is going to create really weird and hard to spot bugs for user that e.g. rely on custom schemes to redirect their users to other apps / services and so on :/

[Artur-]

Yes, looks like the wrong approach with an "allow" list instead of a "disallow" list

[TatuLund]

Could be. I could just disallow "javascript".

[Artur-]

Yes, and if so, there should be a way to opt-out from the check also, to avoid breaking apps where you actually use javascript: but not combine it with user supplied strings

[knoobie]

Example; we use javascript:scrollFocus inside an anchor to create accessible skip links :(

(scrollFocus is a method we have written)

[TatuLund]

@knoobie in case of Anchor, this check could be overriden by extending Anchor overriding setHref. @Artur- is that enough for opt-out?

[Artur-]

Is that consistent with how other similar cases are handled?

[TatuLund]

I added override API to PR

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud