FIX: restrict a href protocols on form template description (#27472)

spec/lib/validators/form_template_yaml_validator_spec.rb

@@ -136,6 +136,23 @@ RSpec.describe FormTemplateYamlValidator, type: :validator do
         )
       end
     end
+
+    context "when description field has unsafe anchor href" do
+      let(:yaml_content) { <<~YAML }
+          - type: input
+            id: name
+            attributes:
+              label: "Full name"
+              description: "What is your full name? Details <a href='javascript:alert()'>here</a>."
+        YAML
+
+      it "adds a validation error" do
+        validator.validate(form_template)
+        expect(form_template.errors[:template]).to include(
+          I18n.t("form_templates.errors.unsafe_description"),
+        )
+      end
+    end
   end
 
   describe "#check_ids" do