prevent popup bridge xss (#2371)

Author: jshawl

Diff for: src/lib/dom.js

@@ -237,10 +237,14 @@ export function extendUrl(url : string, params : { [key : string] : string } = {
 }
 
 export function redirect(win : CrossDomainWindowType = window, url : string) : ZalgoPromise<void> {
-    return new ZalgoPromise(resolve => {
+    return new ZalgoPromise((resolve, reject) => {
 
         info(`redirect`, { url });
 
+        if (url.toLowerCase().replace(/[^a-z:]+/g, '').match(/^javascript:/)) {
+            return reject(new Error('Invalid redirect URL'));
+        }
+
         setTimeout(() => {
             win.location = url;
             if (!urlWillRedirectPage(url)) {