Safe href in suggestion links for the iframe-based viewer

[veloman-yunkan]

Addresses kiwix/kiwix-tools#587 with respect to suggestions in the iframe-based viewer.

The value of the href attributed is assumed to always be a URI-encoded string that has to be decoded. This is true for URLs with javascript: scheme too.

The following example demonstrates the problem

<!DOCTYPE html>
<html>
  <head>
    <script>
      function foo() { alert('A%26B'); }
    </script>
  </head>
  <body>
    <a href="javascript:alert('A%26B)">Inline javascript.</a>
    <a href="javascript:foo()">Out-of-line javascript</a>
  </body>
</html>

Invoking inline javascript via the first link displays URL-decoded text ("A&B"). Running out-of-line javascript via the second link display the text as is ("A%26B").

This means that suggestion links in the iframe-based viewer that work via javascript need a second level of URL-encoding.

[codecov]

Codecov Report

Base: 71.04% // Head: 71.04% // No change to project coverage 👍

Coverage data is based on head (99f24eb) compared to base (6790a14).
Patch has no changes to coverable lines.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #859   +/-   ##
=======================================
  Coverage   71.04%   71.04%           
=======================================
  Files          53       53           
  Lines        3685     3685           
  Branches     2058     2058           
=======================================
  Hits         2618     2618           
  Misses       1065     1065           
  Partials        2        2           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[mgautierfr]

This is a tricky bug.
LGTM