[SECURITY] Disallow javascript & data scheme in URL link handler
URLs defined using TYPO3's internal t3://url/?url=... notation are
now hardened against using `javascript:` and`data:` URL schemes.
Resolves: #88476
Releases: master, 9.5, 8.7
Security-Commit:
1a873c662524a62b192661da45d27e223e517d18
Security-Bulletin: TYPO3-CORE-SA-2019-015
Change-Id: Ia9ca8784a1779492762e5a36fcb1ada67bb6c56a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61141
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>