fix($sanitize): blacklist the attribute usemap as it can be used as a security exploit

Backport of 234053f.

Closes #14903

BREAKING CHANGE:

The `$sanitize` service will now remove instances of the `usemap` attribute from any elements passed
to it.

This attribute is used to reference another element by `name` or `id`. Since the `name` and `id`
attributes are already blacklisted, a sanitized `usemap` attribute could only reference unsanitized
content, which is a security risk.

Author: gkalpak

src/ngSanitize/sanitize.js

@@ -204,7 +204,7 @@ var validElements = angular.extend({},
                                    optionalEndTagElements);
 
 //Attributes that have href and hence need to be sanitized
-var uriAttrs = makeMap("background,cite,href,longdesc,src,usemap");
+var uriAttrs = makeMap("background,cite,href,longdesc,src");
 var validAttrs = angular.extend({}, uriAttrs, makeMap(
     'abbr,align,alt,axis,bgcolor,border,cellpadding,cellspacing,class,clear,'+
     'color,cols,colspan,compact,coords,dir,face,headers,height,hreflang,hspace,'+

test/ngSanitize/sanitizeSpec.js

@@ -174,6 +174,7 @@ describe('HTML', function() {
 
   it('should remove unsafe value', function() {
     expectHTML('<a href="javascript:alert()">').toEqual('<a></a>');
+    expectHTML('<img src="foo.gif" usemap="#foomap">').toEqual('<img src="foo.gif"/>');
   });
 
   it('should handle self closed elements', function() {