feat(security): allow url(...) style values.

Allows sanitized URLs for CSS properties. These can be abused for information
leakage, but only if the CSS rules are already set up to allow for it. That is,
an attacker cannot cause information leakage without controlling the style rules
present, or a very particular setup.

Fixes #8514.

modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts

@@ -30,5 +30,10 @@ export function main() {
       expectSanitize('translateX(12px, -5px)').toEqual('translateX(12px, -5px)');
       expectSanitize('scale3d(1, 1, 2)').toEqual('scale3d(1, 1, 2)');
     });
+    t.it('sanitizes URLs', () => {
+      expectSanitize('url(foo/bar.png)').toEqual('url(foo/bar.png)');
+      expectSanitize('url(javascript:evil())').toEqual('unsafe');
+      expectSanitize('url(strangeprotocol:evil)').toEqual('unsafe');
+    });
   });
 }