fix(security): remove XSS vulnerability in returnUrl query param

The `returnUrl` query parameter can be used to execute malicious code. For
example, visiting
`http://localhost:9876/?return_url=javascript:alert(document.domain)` will
display an alert.

Author: Jonathan Ginsburg

client/karma.js

@@ -239,6 +239,9 @@ function Karma (updater, socket, iframe, opener, navigator, location, document)
       self.updater.updateTestStatus('complete')
     }
     if (returnUrl) {
+      if (!/^https?:\/\//.test(returnUrl)) {
+        throw new Error(`Security: Navigation to ${returnUrl} was blocked to prevent malicious exploits.`)
+      }
       location.href = returnUrl
     }
   }

static/karma.js

@@ -249,6 +249,9 @@ function Karma (updater, socket, iframe, opener, navigator, location, document)
       self.updater.updateTestStatus('complete')
     }
     if (returnUrl) {
+      if (!/^https?:\/\//.test(returnUrl)) {
+        throw new Error(`Security: Navigation to ${returnUrl} was blocked to prevent malicious exploits.`)
+      }
       location.href = returnUrl
     }
   }