Added characters that look like padlocks to URL unescaping blacklist.
This blacklists the following Unicode characters:
- U+1F50F LOCK WITH INK PEN
- U+1F510 CLOSED LOCK WITH KEY
- U+1F512 LOCK
- U+1F513 OPEN LOCK
This prevents LOCK characters from appearing in a URL in the Chrome UI,
potentially looking like an SSL padlock icon (e.g., "google.com/🔒" is
now displayed as "google.com/%F0%9F%94%92"). This presented a spoofing
risk due to a few complications:
1. In RTL mode, the end of the URL (path/query) is aligned right up
against the right edge of the Omnibox, where the SSL padlock is
2. On Mac, ChromeOS, and Android, LOCK characters are displayed in
colour, making them more convincing.
Note: These characters will still be unescaped when using the
SPOOFING_AND_CONTROL_CHARS unescape rule (used for decoding data URLs,
previously known as CONTROL_CHARS).