[notifications] disallow arbitrary html in message content

[AlexTugarev]

In alignment with vscode, this PR will change rendering of user notifications. HTML+JavaScript won't make into the rendered output 🎉 (Thanks to @luigigubello for reporting!)

I also checked that links with javascript: scheme are not translated to anchors for markdown.

Closes #7283

Review checklist

• as an author, I have thoroughly tested my changes and carefully followed the review guidelines

Reminder for reviewers

• as a reviewer, I agree to behave in accordance with the review guidelines

hot to verify

add a task like this an use the >Run Task command

{
  "tasks": [
    {
      "label": "<a href=\"javascript:alert('foo')\">click me</a>",
      "type": "shell",
      "command": "echo 'foo!'",
      "presentation": {
        "reveal": "always",
        "focus": false
      }
    }
  ]
}

See the HTML is escaped with this PR:

While it goes into the DOM on master:

[akosyakov]

@AlexTugarev please reference the relevant issue

[kittaakos]

@AlexTugarev, how can I verify it? Thanks!

[kittaakos]

how can I verify it?

Found it.

Reproduction Steps
Create a new project and create a new debugger configuration file launch.json
In the type field write the Javascript payload (e.g. <details open ontoggle=confirm(2)>)
Press F5 to launch the debugger and see the alert box

[AlexTugarev]

@kittaakos, a task definition with a label containing HTML should now be escaped in the confirmation message Task '${taskIdentifier}' has been started. I expect it to be html content on master.

[kittaakos]

Thanks, @AlexTugarev. I even checked the video attached to the issue, no idea how to verify. Can you please write down the steps? Thanks!

[AlexTugarev]

@kittaakos, I've added a repro to verify ☝️

[kittaakos]

@kittaakos, I've added a repro to verify ☝️

Thank you!

I have verified and compared the behavior with the master.

PR:

master:

Note: I see only an error when I do the same on the master.

Uncaught (in promise) Error: A resource provider for 'javascript:alert%28%27foo%27%29' is not registered.
    at DefaultResourceProvider.<anonymous> (bundle.js:131973)
    at step (bundle.js:131818)
    at Object.throw (bundle.js:131799)
    at rejected (bundle.js:131791)

[AlexTugarev]

Note: I see only an error when I do the same on the master.

Oh yeah, but that doesn't matter. Link handler are using the command service. I should have written an example with onClick handler.

Thanks for verifying @kittaakos! 🙏