feature: sanitize the `formaction` attribute when allowlisted, like other URL attributes

[flavorjones]

Originally reported by reported by @maitaii at https://hackerone.com/reports/3008446

When allowlisting the default-blocked form and button tags and the default-blocked formaction attribute, it's possible to inject scripting into the rendered HTML.

We do not consider this to be a vulnerability, since:

• the application developer must explicitly change the sanitizer configuration to:
  • allow multiple blocked tags (form and button)
  • allow a blocked attribute (formaction)
• it's not likely to be a common configuration

That said, if the developer has indeed taken advantage of the sharp knife that the API provides and explicitly allowed the form and button tags and the formaction attribute, it would be a good feature to scrub that attribute like we scrub other URL attributes.

Note: this sanitization feature will likely be implemented in Loofah.

References:

• https://developer.mozilla.org/en-US/docs/Web/HTML/Element/button#formaction
• https://hackerone.com/reports/3008446