[Backport] Security bug 1026293

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/1925056:
Harden XLink defense-in-depth

This patch leverages the native `URL` API for URL parsing and
validation for XLink components. It also ensures XLinks get
rel=noopener.

Bug: chromium:1026293
Change-Id: Iad274bbde5d2ad9f0d8b22f35f3e36cba2aa76f1
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>

1 files changed, 15 insertions, 5 deletions

diff --git a/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js b/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js
index a29a72afdc3..548944b569a 100644
--- a/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js
+++ b/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js
@@ -31,7 +31,8 @@ UI.XLink = class extends UI.XElement {
     this.style.setProperty('display', 'inline');
     UI.ARIAUtils.markAsLink(this);
     this.tabIndex = 0;
-    this.setAttribute('target', '_blank');
+    this.target = '_blank';
+    this.rel = 'noopener';
 
     /** @type {?string} */
     this._href = null;
@@ -71,11 +72,20 @@ UI.XLink = class extends UI.XElement {
     }
 
     if (attr === 'href') {
-      let href = newValue;
-      if (newValue.trim().toLowerCase().startsWith('javascript:'))
-        href = null;
-      if (Common.ParsedURL.isRelativeURL(newValue))
+      // For invalid or non-absolute URLs, `href` should remain `null`.
+      if (!newValue) {
+        newValue = '';
+      }
+      let href = null;
+      let url = null;
+      try {
+        url = new URL(newValue);
+        href = url.toString();
+      } catch (error) {
+      }
+      if (url && url.protocol === 'javascript:') {
         href = null;
+      }
 
       this._href = href;
       this.title = newValue;