Refactor \Drupal\link\AttributeXss from SA-CORE-2025-004

Problem/Motivation

https://www.drupal.org/sa-core-2025-004 → added some XSS filtering code to the link module which ideally would live in core itself.

The aim is not to introduce new APIs or make BC breaking changes in Security Advisories, but now the SA has been released the code can be refactored in a public issue.

Steps to reproduce

Code in question: https://git.drupalcode.org/project/drupal/-/commit/b112cf535a8edd5a981c2...

Proposed resolution

Per the comments in \Drupal\link\AttributeXss:

/**
 * Defines a class for attribute XSS filtering.
 *
 * @internal This class was added for a security fix and will be folded into
 *   the \Drupal\Component\Utility\Xss class in a public issue.
 */
final class AttributeXss {

Remaining tasks

tbc

User interface changes

tbc

Introduced terminology

tbc

API changes

tbc

Data model changes

tbc

Release notes snippet

tbc