Description
From #11791
Currently, ComponentHub.StartCircuit and RemoteUriHelper.NotifyLocationChanged both just trust the client to supply valid, non-null values for uriAbsolute/baseUriAbsolute.
Although I don't know specifically how this could be exploited by a bad client, we should at least validate in those two places that the values are non-null and parseable URLs, since there's no reason not to.
For ComponentHub.StartCircuit, we could validate that baseUriAbsolute is within the PathBase, and that uriAbsolute is within baseUriAbsolute. However I'm not sure that's worth doing because we don't strictly require that as part of the programming model, and we definitely can't enforce it in NotifyLocationChanged since this is how you navigate to external URLs. So, I'm only proposing we check they are parseable URLs.