Enable SMS links by default

[n-rook]

I'm submitting a ...

• bug report
• feature request
• other (Please do not submit support requests here (see above))

Current behavior:
Currently, by default, sms links like sms:+15555555555 have "unsafe" prepended to them. People who want sms links in their Angular app have to add a line like this:

  $compileProvider.aHrefSanitizationWhitelist(
    /^\s*(https?|ftp|mailto|tel|sms|file):/);

Expected / new behavior:
SMS links would be displayed by default.

Minimal reproduction of the problem with instructions:
http://plnkr.co/edit/c3PIZnwxj5aZrkzrpC02?p=preview

Angular version: 1.5.9

Browser: all

Anything else:
This would be trivial to fix: just replace the default with the regexp above. This would enable sms: links and have no downside I can see. However, I don't understand the security issue that motivated href sanitization in the first place, so I wanted to check that this makes sense before sending a PR.

[gkalpak]

cc @rjamet (who I think has some plans for href whitelisting already)

[rjamet]

I don't have strong feelings either way. The default is currently /^\s*(https?|ftp|mailto|tel|file):/: if we allow tel and mailto, we might as well allow sms, but the workaround is two lines.

The href sanitization is there to avoid XSS mainly, but we're also trying to avoid schemes that make no sense on most platforms (content:// for instance or app-specific schemes), or that might cause unwanted actions on click.

Pros:

• Here, since we have mailto: and tel:, sms: doesn't seem that much of a stretch.
• Also, the less users have to touch that sanitization whitelist, the better: it's very easy to forget to escape dots or to forget that first ^ in the regexp.

Cons:

• I guess that a lot of Angular href bindings do not expect anything else than http links. This would change if we fix that issue. No special security concern there, but it's going to be surprising.
• The status quo works with a two-lines workaround.

The fix could also be a series of switches that allow specific harmless schemes. Let only http/https through to begin with, and call $compileProvider.sanitization.enableSms() if you need it in your app, same with tel, file, and so on? This would mitigate the concerns around regexps, and the whitelist would be strict by default. This also doesn't need to be breaking, since it could cohabit with a custom regexp?