fix: Add Url validation in Anchor and Page#open

[TatuLund]

No description provided.

[github-actions]

Format Checker Report

There are 1 files with format errors

• To see a complete report of formatting issues, download the differences artifact

• To fix the build, please run mvn spotless:apply in your branch and commit the changes.

• Optionally you might add the following line in your .git/hooks/pre-commit file:

  mvn spotless:apply
  

Here is the list of files with format issues in your PR:

flow-server/src/main/java/com/vaadin/flow/internal/UrlUtil.java

[github-actions]

Test Results

 1 410 files  ±0   1 410 suites  ±0   1h 20m 23s ⏱️ +18s
10 160 tests ±0  10 091 ✅ ±0  69 💤 ±0  0 ❌ ±0 
10 635 runs  ±0  10 564 ✅ ±0  71 💤 ±0  0 ❌ ±0 

Results for commit 5c7e82c. ± Comparison against base commit 1a88177.

♻️ This comment has been updated with latest results.

[knoobie]

This is going to create really weird and hard to spot bugs for user that e.g. rely on custom schemes to redirect their users to other apps / services and so on :/

[Artur-]

Yes, looks like the wrong approach with an "allow" list instead of a "disallow" list

[TatuLund]

Could be. I could just disallow "javascript".

[Artur-]

Yes, and if so, there should be a way to opt-out from the check also, to avoid breaking apps where you actually use javascript: but not combine it with user supplied strings

[knoobie]

Example; we use javascript:scrollFocus inside an anchor to create accessible skip links :(

(scrollFocus is a method we have written)

[TatuLund]

@knoobie in case of Anchor, this check could be overriden by extending Anchor overriding setHref. @Artur- is that enough for opt-out?

[Artur-]

Is that consistent with how other similar cases are handled?

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud