Allow only safe urls in GlButton

Proposal

GlButton component should accept only secure and valid URLs. This means that it should prevent javascript:// links.

should allow URLs only with the following protocols (http, https, ftp, mailto)
should take care of encoded URIs
should render as span tag when the href is unsafe

GlSafeLinkDirective can be used for that purpose.

Since GitLab also relies on data URLs in some cases, we'll want to provide a way to set "unsafe" URLs that will skip the sanitization step. An idea would be to expose an unsafe-url prop.

Why

The javascript links can lead to cross-site scripting bugs. For example, gitlab#212630 (closed). It has been fixed by validating the zoom meeting links which should fix this particular security issue. However, other GlButton usages are still vulnerable if we miss any such validations.

Related Issues

Allow only safe urls in GlLink
Preventing URL Injection
XSS Retrospective

Edited Apr 23, 2021 by Paul Gascou-Vaillancourt