[SDK-1191] Lock social buttons now render as links instead of buttons

[stevehobbsdev]

Changes

Lock social buttons now render as links instead of buttons. This is to fix an issue with LastPass not attaching its buttons to the input boxes on load.

I believe this is a security issue with LastPass (see security considerations on this doc). It won't initialize the extension on the form fields until some user interaction has happened, because there are button tags within the form (the social buttons). If a site hosting Lock was vulnerable to XSS attacks, they could potentially post login information to a malicious location if LastPass did actually pre-fill those form fields on page load.

Changing these buttons to links (without affecting the styles, other than providing an affordance that was normally provided by the browser) solves the issue.

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

• This change adds unit test coverage
• This change adds integration test coverage
• This change has been tested on the latest version of the platform/language

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All existing and new tests complete without errors
• All code quality tools/guidelines have been run/followed
• All relevant assets have been compiled
• All active GitHub checks have passed