Summary

The URL sanitizer (_sanitizeUrl) currently only blocks javascript: URLs. This leaves other potentially dangerous URL schemes unblocked:

• data:text/html — can execute scripts in older browsers and certain WebView environments
• vbscript: — script execution in legacy Internet Explorer
• data: with no subtype (e.g. data:,<script>...) — defaults to text/plain but has been used in XSS attacks
• data:application/xhtml+xml, data:text/xml — can contain executable script content

Changes

This PR extends the URL sanitizer regex to block vbscript: and dangerous data: subtypes while continuing to allow safe media data URIs:

• ✅ data:image/* — allowed (inline images)
• ✅ data:video/* — allowed (inline video)
• ✅ data:audio/* — allowed (inline audio)
• ❌ data:text/html — blocked
• ❌ data:application/* — blocked
• ❌ data:text/* — blocked
• ❌ data:, (bare) — blocked
• ❌ vbscript:* — blocked

This also resolves a longstanding TODO in html_sanitizer.ts that has been open since the sanitizer was originally written:

// TODO(martinprobst): Special case image URIs for data:image/...

Security Note

data:image/svg+xml is allowed because SVG loaded via <img src> is sandboxed by browsers (scripts do not execute). For <a href> contexts, modern browsers (Chrome 60+, Firefox 59+) block top-level navigation to data: URLs entirely.

Migration

Applications that rely on non-media data: URLs (e.g. data:text/plain, data:application/pdf) in sanitized URL contexts should use DomSanitizer.bypassSecurityTrustUrl() to explicitly mark them as trusted.

Test Plan

• Added tests for vbscript: URL variants (3 cases, case-insensitive)
• Added tests for dangerous data: URLs (9 cases including base64, bare data:, various MIME types)
• Added additional safe data:image/* test cases (svg+xml, gif)
• Verified all existing valid URL tests still pass
• Fixed test description typo (valid → invalid for invalid URL test cases)