Security: Render only safe urls with Breadcrumbs

Proposal

GlBreadcrumb component should render only secure and valid links. This means that it should prevent javascript:// and other potentially vulnerable links.

• should allow URLs only with the following protocols (http, https, ftp, mailto)
• should take care of encoded URIs
• should render as span tag when the href is unsafe

GlSafeLinkDirective can be used for that purpose.

Why

The javascript links could lead to cross-site scripting bugs. Although we haven't found any real security vulnerabilities specific to GlDropdownItem yet, but we need to make sure the components are safe by default.

Related Issues

• Allow only safe urls in GlLink
• Allow only safe urls in GlButton
• Preventing URL Injection
• XSS Retrospective