Sanitize language switching URLs

[osma]

Reasons for creating this PR

See issue #1289 - it was possible to trick Skosmos to generate links to an arbitrary URL. This could be a potential security issue together with some social engineering (instruct users to click on the link).

Link to relevant issue(s), if any

• Closes YSO concept pages broken #289

Description of the changes in this PR

1. add some more unit tests for Request->getLangUrl method (to make sure all relevant cases are covered)
2. sanitize the URL string returned by Request->getLangUrl so it won't contain special characters

The sanitizing will cause the "smuggled" URLs to stop working, for example http://example.com becomes http//examplecom and thus the links won't work anymore.

Known problems or uncertainties in this PR

The language switching links on the 404 page generated for a page such as /Skosmos/http://example.com will be broken. It's no worse than before though, since they were already broken, now they are just less harmful.

Checklist

• phpUnit tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works (if not, explain why below)
• The PR doesn't introduce unintended code changes (e.g. empty lines or useless reindentation)

[codecov]

Codecov Report

Merging #1307 (fe9e356) into master (9b3aa64) will increase coverage by 0.01%.
The diff coverage is 100.00%.

@@             Coverage Diff              @@
##             master    #1307      +/-   ##
============================================
+ Coverage     69.44%   69.45%   +0.01%     
  Complexity     1657     1657              
============================================
  Files            32       32              
  Lines          4068     4070       +2     
============================================
+ Hits           2825     2827       +2     
  Misses         1243     1243              

Impacted Files	Coverage Δ
model/Request.php	71.91% <100.00%> (+0.64%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9b3aa64...fe9e356. Read the comment docs.

[osma]

Note that this may restrict the range of available characters in vocabulary IDs. Currently only [a-zA-Z0-9/-] are allowed.

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[osma]

The last commit changed the sanitizing. Now it's more minimal and only strips colons from the URL, preventing the smuggling of absolute URLs. http://example.com becomes http//example.com. This has a minimal effect on vocabulary IDs since even before, it was in practice impossible to use colons in vocabulary IDs, they wouldn't work anyway.

[joelit]

LGTM - better to just break absolute URLs this way (instead of limiting the possibility of using non-alphanumeric characters in vocabulary IDs).