Forbid JavaScript in links to the bounce app

www/bounce/main.js

@@ -9,6 +9,12 @@ define(['/api/config'], function (ApiConfig) {
         window.alert('The bounce application must only be used with a valid href to visit');
         return;
     }
+    if (bounceTo.indexOf('javascript:') === 0 ||
+        bounceTo.indexOf('vbscript:') === 0 ||
+        bounceTo.indexOf('data:') === 0) {
+        window.alert('Illegal bounce URL');
+        return;
+    }
     window.opener = null;
     window.location.href = bounceTo;
 });