fix: Make ARIA polyfill more robust

All the attributes listed in the polyfill already begin with "aria".
However, to add extra protection against the possibility of XSS
attacks through one of the polyfill's internal methods, this enforces
"aria-" at the beginning of the snake-case attribute name, even if
somehow "aria" were missing from the input JavaScript attribute name.

This change is based on the outcome of an internal security review.

Change-Id: Iec8a9cbd5f88fdf4b87da3e5cd058c4ffb69c3ff

Author: joeyparrish

lib/polyfill/aria.js

@@ -48,7 +48,13 @@ shaka.polyfill.Aria = class {
    * @private
    */
   static addARIAMixinAttribute_(name) {
-    const snakeCaseName = name.toLowerCase().replace('aria', 'aria-');
+    const baseName = name.toLowerCase().replace(/^aria/, '');
+    // NOTE: All the attributes listed in the method above begin with "aria".
+    // However, to add extra protection against the possibility of XSS attacks
+    // through this method, this enforces "aria-" at the beginning of the
+    // snake-case name, even if somehow "aria" were missing from the input.
+    const snakeCaseName = `aria-${baseName}`;
+
     /* eslint-disable no-restricted-syntax */
     Object.defineProperty(Element.prototype, name, {
       get() {