Security: Render only safe urls with GlDropdownItem

Proposal

GlDropdownItem component should render only secure and valid links. This means that it should prevent javascript:// and other potentially vulnerable links.

• should allow URLs only with the following protocols (http, https, ftp, mailto)
• should take care of encoded URIs
• should render as span tag when the href is unsafe

GlSafeLinkDirective can be used for that purpose.

Why

The javascript links could lead to cross-site scripting bugs. Although we haven't found any real security vulnerabilities specific to GlDropdownItem yet, but we need to make sure the components are safe by default.

PoC:

<gl-dropdown-item href="javascript:alert(document.domain)">
<gl-dropdown-item to="javascript:alert(document.domain)"

Result:

Related Issues

• Allow only safe urls in GlLink
• Allow only safe urls in GlButton
• Preventing URL Injection
• XSS Retrospective