Fix reverse tabnabbing vulnerability with improper URL protocol

URLs with an invalid protocol delimiter like `http:evil.com` were
mistakenly considered internal URLs by Banzai `ExternalLinkFilter`.

Therefore, the `rel="nofollow noreferrer noopener"` attribute was not
added to the anchor, leaving the site vulnerable to reverse tabnabbing.

This commit fixes it.

Changelog: fixed

lib/banzai/filter/external_link_filter.rb

@@ -64,8 +64,8 @@ module Banzai
 
       def internal_url?(uri)
         return false if uri.nil?
-        # Relative URLs miss a hostname
-        return true unless uri.hostname
+        # Relative URLs miss a hostname AND a scheme
+        return true if !uri.hostname && !uri.scheme
 
         uri.hostname == internal_url.hostname
       end

spec/lib/banzai/filter/external_link_filter_spec.rb

@@ -71,6 +71,13 @@ RSpec.describe Banzai::Filter::ExternalLinkFilter do
 
       expect(doc.to_html).to eq(expected)
     end
+
+    it 'adds rel and target attributes to improperly formatted protocols' do
+      doc = filter %q(<p><a target="_blank" href="http:evil.com">Reverse Tabnabbing</a></p>)
+      expected = %q(<p><a target="_blank" href="http:evil.com" rel="nofollow noreferrer noopener">Reverse Tabnabbing</a></p>)
+
+      expect(doc.to_html).to eq(expected)
+    end
   end
 
   context 'for links with a username' do