[Breaking] Remove disableJavaScriptURLs (#28615)

## Overview

This has landed, so we can remove the flag

## Changelog

This change blocks using javascript URLs such as:

```html
<a href="javascript:notfine">p0wned</a>
```

We previously announced dropping support for this via a warning:

> A future version of React will block javascript: URLs as a security
precaution. Use event handlers instead if you can. If you need to
generate unsafe HTML try using dangerouslySetInnerHTML instead.

DiffTrain build for [9f8daa6](9f8daa6)

compiled/facebook-www/REVISION

@@ -1 +1 @@
-6786563f3cbbc9b16d5a8187207b5bd904386e53
+9f8daa6cb5aae476cf54611874ea7522243c6ba6

compiled/facebook-www/ReactDOM-dev.classic.js

@@ -7324,6 +7324,7 @@ if (__DEV__) {
       warnUnknownProperties(type, props, eventRegistry);
     }
 
+    // A javascript: URL can contain leading C0 control or \u0020 SPACE,
     // and any newline or tab are filtered out as if they're not part of the URL.
     // https://url.spec.whatwg.org/#url-parsing
     // Tab or newline are defined as \r\n\t:
@@ -7333,22 +7334,17 @@ if (__DEV__) {
     // https://infra.spec.whatwg.org/#c0-control-or-space
 
     /* eslint-disable max-len */
-
     var isJavaScriptProtocol =
       /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
 
     function sanitizeURL(url) {
       // We should never have symbols here because they get filtered out elsewhere.
       // eslint-disable-next-line react-internal/safe-string-coercion
-      var stringifiedURL = "" + url;
-
-      {
-        if (isJavaScriptProtocol.test(stringifiedURL)) {
-          // Return a different javascript: url that doesn't cause any side-effects and just
-          // throws if ever visited.
-          // eslint-disable-next-line no-script-url
-          return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
-        }
+      if (isJavaScriptProtocol.test("" + url)) {
+        // Return a different javascript: url that doesn't cause any side-effects and just
+        // throws if ever visited.
+        // eslint-disable-next-line no-script-url
+        return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
       }
 
       return url;
@@ -36319,7 +36315,7 @@ if (__DEV__) {
       return root;
     }
 
-    var ReactVersion = "19.0.0-www-classic-654adadc";
+    var ReactVersion = "19.0.0-www-classic-45168b08";
 
     function createPortal$1(
       children,

compiled/facebook-www/ReactDOM-dev.modern.js

@@ -7158,6 +7158,7 @@ if (__DEV__) {
       warnUnknownProperties(type, props, eventRegistry);
     }
 
+    // A javascript: URL can contain leading C0 control or \u0020 SPACE,
     // and any newline or tab are filtered out as if they're not part of the URL.
     // https://url.spec.whatwg.org/#url-parsing
     // Tab or newline are defined as \r\n\t:
@@ -7167,22 +7168,17 @@ if (__DEV__) {
     // https://infra.spec.whatwg.org/#c0-control-or-space
 
     /* eslint-disable max-len */
-
     var isJavaScriptProtocol =
       /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
 
     function sanitizeURL(url) {
       // We should never have symbols here because they get filtered out elsewhere.
       // eslint-disable-next-line react-internal/safe-string-coercion
-      var stringifiedURL = "" + url;
-
-      {
-        if (isJavaScriptProtocol.test(stringifiedURL)) {
-          // Return a different javascript: url that doesn't cause any side-effects and just
-          // throws if ever visited.
-          // eslint-disable-next-line no-script-url
-          return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
-        }
+      if (isJavaScriptProtocol.test("" + url)) {
+        // Return a different javascript: url that doesn't cause any side-effects and just
+        // throws if ever visited.
+        // eslint-disable-next-line no-script-url
+        return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
       }
 
       return url;
@@ -36166,7 +36162,7 @@ if (__DEV__) {
       return root;
     }
 
-    var ReactVersion = "19.0.0-www-modern-ee9a7879";
+    var ReactVersion = "19.0.0-www-modern-2212f44c";
 
     function createPortal$1(
       children,

compiled/facebook-www/ReactDOMServer-dev.classic.js

@@ -19,7 +19,7 @@ if (__DEV__) {
     var React = require("react");
     var ReactDOM = require("react-dom");
 
-    var ReactVersion = "19.0.0-www-classic-b55c583a";
+    var ReactVersion = "19.0.0-www-classic-86d66ddc";
 
     // This refers to a WWW module.
     var warningWWW = require("warning");
@@ -2317,6 +2317,7 @@ if (__DEV__) {
         .replace(msPattern, "-ms-");
     }
 
+    // A javascript: URL can contain leading C0 control or \u0020 SPACE,
     // and any newline or tab are filtered out as if they're not part of the URL.
     // https://url.spec.whatwg.org/#url-parsing
     // Tab or newline are defined as \r\n\t:
@@ -2326,22 +2327,17 @@ if (__DEV__) {
     // https://infra.spec.whatwg.org/#c0-control-or-space
 
     /* eslint-disable max-len */
-
     var isJavaScriptProtocol =
       /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
 
     function sanitizeURL(url) {
       // We should never have symbols here because they get filtered out elsewhere.
       // eslint-disable-next-line react-internal/safe-string-coercion
-      var stringifiedURL = "" + url;
-
-      {
-        if (isJavaScriptProtocol.test(stringifiedURL)) {
-          // Return a different javascript: url that doesn't cause any side-effects and just
-          // throws if ever visited.
-          // eslint-disable-next-line no-script-url
-          return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
-        }
+      if (isJavaScriptProtocol.test("" + url)) {
+        // Return a different javascript: url that doesn't cause any side-effects and just
+        // throws if ever visited.
+        // eslint-disable-next-line no-script-url
+        return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
       }
 
       return url;

compiled/facebook-www/ReactDOMServer-dev.modern.js

@@ -19,7 +19,7 @@ if (__DEV__) {
     var React = require("react");
     var ReactDOM = require("react-dom");
 
-    var ReactVersion = "19.0.0-www-modern-173398fa";
+    var ReactVersion = "19.0.0-www-modern-194c6b4a";
 
     // This refers to a WWW module.
     var warningWWW = require("warning");
@@ -2317,6 +2317,7 @@ if (__DEV__) {
         .replace(msPattern, "-ms-");
     }
 
+    // A javascript: URL can contain leading C0 control or \u0020 SPACE,
     // and any newline or tab are filtered out as if they're not part of the URL.
     // https://url.spec.whatwg.org/#url-parsing
     // Tab or newline are defined as \r\n\t:
@@ -2326,22 +2327,17 @@ if (__DEV__) {
     // https://infra.spec.whatwg.org/#c0-control-or-space
 
     /* eslint-disable max-len */
-
     var isJavaScriptProtocol =
       /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
 
     function sanitizeURL(url) {
       // We should never have symbols here because they get filtered out elsewhere.
       // eslint-disable-next-line react-internal/safe-string-coercion
-      var stringifiedURL = "" + url;
-
-      {
-        if (isJavaScriptProtocol.test(stringifiedURL)) {
-          // Return a different javascript: url that doesn't cause any side-effects and just
-          // throws if ever visited.
-          // eslint-disable-next-line no-script-url
-          return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
-        }
+      if (isJavaScriptProtocol.test("" + url)) {
+        // Return a different javascript: url that doesn't cause any side-effects and just
+        // throws if ever visited.
+        // eslint-disable-next-line no-script-url
+        return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
       }
 
       return url;

compiled/facebook-www/ReactDOMServerStreaming-dev.modern.js

@@ -2314,6 +2314,7 @@ if (__DEV__) {
         .replace(msPattern, "-ms-");
     }
 
+    // A javascript: URL can contain leading C0 control or \u0020 SPACE,
     // and any newline or tab are filtered out as if they're not part of the URL.
     // https://url.spec.whatwg.org/#url-parsing
     // Tab or newline are defined as \r\n\t:
@@ -2323,22 +2324,17 @@ if (__DEV__) {
     // https://infra.spec.whatwg.org/#c0-control-or-space
 
     /* eslint-disable max-len */
-
     var isJavaScriptProtocol =
       /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
 
     function sanitizeURL(url) {
       // We should never have symbols here because they get filtered out elsewhere.
       // eslint-disable-next-line react-internal/safe-string-coercion
-      var stringifiedURL = "" + url;
-
-      {
-        if (isJavaScriptProtocol.test(stringifiedURL)) {
-          // Return a different javascript: url that doesn't cause any side-effects and just
-          // throws if ever visited.
-          // eslint-disable-next-line no-script-url
-          return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
-        }
+      if (isJavaScriptProtocol.test("" + url)) {
+        // Return a different javascript: url that doesn't cause any side-effects and just
+        // throws if ever visited.
+        // eslint-disable-next-line no-script-url
+        return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
       }
 
       return url;

compiled/facebook-www/ReactDOMTesting-dev.classic.js

@@ -7461,6 +7461,7 @@ if (__DEV__) {
       warnUnknownProperties(type, props, eventRegistry);
     }
 
+    // A javascript: URL can contain leading C0 control or \u0020 SPACE,
     // and any newline or tab are filtered out as if they're not part of the URL.
     // https://url.spec.whatwg.org/#url-parsing
     // Tab or newline are defined as \r\n\t:
@@ -7470,22 +7471,17 @@ if (__DEV__) {
     // https://infra.spec.whatwg.org/#c0-control-or-space
 
     /* eslint-disable max-len */
-
     var isJavaScriptProtocol =
       /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
 
     function sanitizeURL(url) {
       // We should never have symbols here because they get filtered out elsewhere.
       // eslint-disable-next-line react-internal/safe-string-coercion
-      var stringifiedURL = "" + url;
-
-      {
-        if (isJavaScriptProtocol.test(stringifiedURL)) {
-          // Return a different javascript: url that doesn't cause any side-effects and just
-          // throws if ever visited.
-          // eslint-disable-next-line no-script-url
-          return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
-        }
+      if (isJavaScriptProtocol.test("" + url)) {
+        // Return a different javascript: url that doesn't cause any side-effects and just
+        // throws if ever visited.
+        // eslint-disable-next-line no-script-url
+        return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
       }
 
       return url;
@@ -36943,7 +36939,7 @@ if (__DEV__) {
       return root;
     }
 
-    var ReactVersion = "19.0.0-www-classic-de144cc2";
+    var ReactVersion = "19.0.0-www-classic-475fb13a";
 
     function createPortal$1(
       children,

compiled/facebook-www/ReactDOMTesting-dev.modern.js

@@ -7295,6 +7295,7 @@ if (__DEV__) {
       warnUnknownProperties(type, props, eventRegistry);
     }
 
+    // A javascript: URL can contain leading C0 control or \u0020 SPACE,
     // and any newline or tab are filtered out as if they're not part of the URL.
     // https://url.spec.whatwg.org/#url-parsing
     // Tab or newline are defined as \r\n\t:
@@ -7304,22 +7305,17 @@ if (__DEV__) {
     // https://infra.spec.whatwg.org/#c0-control-or-space
 
     /* eslint-disable max-len */
-
     var isJavaScriptProtocol =
       /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
 
     function sanitizeURL(url) {
       // We should never have symbols here because they get filtered out elsewhere.
       // eslint-disable-next-line react-internal/safe-string-coercion
-      var stringifiedURL = "" + url;
-
-      {
-        if (isJavaScriptProtocol.test(stringifiedURL)) {
-          // Return a different javascript: url that doesn't cause any side-effects and just
-          // throws if ever visited.
-          // eslint-disable-next-line no-script-url
-          return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
-        }
+      if (isJavaScriptProtocol.test("" + url)) {
+        // Return a different javascript: url that doesn't cause any side-effects and just
+        // throws if ever visited.
+        // eslint-disable-next-line no-script-url
+        return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
       }
 
       return url;
@@ -36790,7 +36786,7 @@ if (__DEV__) {
       return root;
     }
 
-    var ReactVersion = "19.0.0-www-modern-4e8b0ce1";
+    var ReactVersion = "19.0.0-www-modern-5757544c";
 
     function createPortal$1(
       children,