Proposal: Enforce safe URI schemes (http/https) for ACS URL

[tyage]

SamlIdp::Request#valid? validates the host of the ACS URL but does not check the scheme.
This allows URLs like javascript://whitelisted-host.com/%0aalert(1) to pass validation if the host is whitelisted.

When such a URL is used as a form action, it leads to XSS. This is currently reproducible in the spec/rails_app where saml_acs_url is rendered in the saml_post.html.erb template:

saml_idp/spec/rails_app/app/views/saml_idp/idp/saml_post.html.erb

Line 8 in 407602d

<%= form_tag(saml_acs_url) do %>

How about enforcing http or https schemes by default in the validation logic?

def valid?
  # ...
  return false unless ['http', 'https'].include?(URI(response_url.to_s).scheme)
  # ...
end