fix(isURL): block credentials in protocol-relative URLs (+ regression tests)

[jordyloeuille]

This patch hardens isURL for protocol-relative inputs by rejecting credentials in the authority
(e.g. //user:[email protected]) when allow_protocol_relative_urls is true.

• Behavior now aligns with browser parsing expectations and avoids open-redirect/XSS-style patterns.
• Adds regression tests:
  • protocol-relative with credentials → invalid
  • require_protocol: true rejects https:example.com / http:example.com
  • valid https://example.com and http://example.com/path?x=1#y

No API changes; minimal code change in the // branch. All tests and lint pass locally.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (6f436be) to head (777a533).

Additional details and impacted files

@@            Coverage Diff            @@
##            master     #2613   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          114       114           
  Lines         2536      2541    +5     
  Branches       642       644    +2     
=========================================
+ Hits          2536      2541    +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jordyloeuille]

validator.js has a URL validation bypass vulnerability in its isURL function - GHSA-9965-vmph-33xx

[WikiRik]

Why's the comment (partially) in Dutch? Looks AI generated. Either way, the idea is that #2608 will be reviewed and eventually merged. Feel free to review that one and suggest improvements from this PR if they are useful. Closing this