frontend: Defensively filter unsafe links that may come from bugdown.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>

frontend_tests/node_tests/util.js

@@ -311,10 +311,12 @@ run_test("clean_user_content_links", () => {
         util.clean_user_content_links(
             '<a href="http://example.com">good</a> ' +
             '<a href="http://localhost:NNNN">invalid</a> ' +
+            '<a href="javascript:alert(1)">unsafe</a> ' +
             '<a href="/#fragment" target="_blank">fragment</a>'
         ),
         '<a href="http://example.com" target="_blank" rel="noopener noreferrer">good</a> ' +
         '<a>invalid</a> ' +
+        '<a>unsafe</a> ' +
         '<a href="/#fragment">fragment</a>'
     );
 });

static/js/util.js

@@ -367,9 +367,17 @@ exports.clean_user_content_links = function (html) {
             continue;
         }
 
-        // We detect URLs that are just fragments by comparing the URL
+        if (
-        // against a new URL generated using only the hash.
+            // eslint-disable-next-line no-script-url
-        if (url.hash === "" || url.href !== new URL(url.hash, window.location.href).href) {
+            ["data:", "javascript:", "vbscript:"].indexOf(url.protocol) !== -1
+        ) {
+            // Remove unsafe links completely.
+            elt.removeAttribute("href");
+        } else if (
+            // We detect URLs that are just fragments by comparing the URL
+            // against a new URL generated using only the hash.
+            url.hash === "" || url.href !== new URL(url.hash, window.location.href).href
+        ) {
             elt.setAttribute("target", "_blank");
             elt.setAttribute("rel", "noopener noreferrer");
         } else {