Validate dataURL to prevent XSS attacks

[gtsp233]

Hi, I've found a Cross-Site Scripting (XSS) vulnerability in @rjsf/core

Vulnerability Details:

• Severity: High/Critical
• Description: There's a risk of malicious script execution when the value of the FileWidget is controlled by an adversary.

Steps to Reproduce:

import React from "react";
import ReactDOM from "react-dom/client";
import { getDefaultRegistry } from "@rjsf/core";

const schema = {
  title: "Files",
  type: "object",
  properties: {
    file: {
      type: "string",
      format: "data-url",
      title: "Single file",
    },
  },
};

function App() {
  const FileWidget = getDefaultRegistry().widgets.FileWidget;

  return (
    <FileWidget
      value={["javascript:alert(1)"]}
      registry={getDefaultRegistry()}
      options={{ id: 1, filePreview: true }}
      id="1"
      schema={schema}
      onChange={() => {}}
      onFocus={() => {}}
    />
  );
}

const root = ReactDOM.createRoot(document.getElementById("root"));
root.render(<App />);

In this case, when a user clicks the preview button, the malicious script alert(1) will be executed. Note that the specified format: "data-url" does not successfully sanitize the value.

Suggested Fix or Mitigation:
The root cause is due to:

react-jsonschema-form/packages/core/src/components/widgets/FileWidget.tsx

Line 79 in f31bef1

<a download={`preview-${name}`} href={dataURL} className='file-download'>

where a malicious dataURL may be passed to the <a />, causing an XSS attack.

It is best practice for a package to ensure security. Even though the dataURL has been validated elsewhere, there's still a risk of malicious dataURL being passed to <a /> as shown in the example. Please consider patching this issue by validating the dataURL to prevent the XSS attack. Thanks!