fix: sanitize URLs used for OAuth auth flow (via #5190)

* fix: sanitize URLs used for OAuth auth flow

* embetter test case

* fix linter issue

test/e2e-cypress/static/documents/xss/oauth2.yaml

@@ -0,0 +1,5 @@
+swagger: '2.0'
+securityDefinitions:
+  a:
+    type: oauth2
+    authorizationUrl: javascript:alert(document.domain)//

test/e2e-cypress/tests/features/xss/oauth2.js

@@ -0,0 +1,23 @@
+describe("XSS: OAuth2 authorizationUrl sanitization", () => {
+  it("should filter out a javascript URL", () => {
+    cy.visit("/?url=/documents/xss/oauth2.yaml")
+      .window()
+      .then(win => {
+        let args = null
+        const stub = cy.stub(win, "open", (...callArgs) => {
+          args = callArgs
+        }).as("windowOpen")
+
+        cy.get(".authorize")
+          .click()
+          .get(".modal-btn.authorize")
+          .click()
+          .wait(100)
+          .then(() => {
+            console.log(args)
+            expect(args[0]).to.match(/^about:blank/) 
+          })
+
+      })
+  })
+})