Fix URL whitelist bypass and server-side validation issues

[pau101]

Currently the URL whitelist since it was introduced in 1.4.0 has a flaw in its validation logic. The code computes baseURL but checks the original url using startsWith() against whitelist entries.

However, even if baseURL were used, startsWith() would only protect against userinfo bypasses such as youtube.com@evil.com, not subdomain spoofing where youtube.com.evil.com matches a whitelisted youtube.com.

Additionally, URI.toURL() accepts URLs such as https:foobar.com. In this case the URI has no authority and the foobar.com portion is parsed as the path, resulting in a null host. When played, this causes the client to display https://null in the whitelisting prompt.

The SetURLRecord message also relies only on client-side validation for disc lock status and duration bounds, which can be bypassed by a modified client.

This PR resolves these issues by validating URLs, requiring both a scheme and host, and performing an exact whitelist match on scheme://host. Server-side validation has also been added so locked discs cannot be modified and record duration is clamped to the allowed range (0-3600 seconds) per the client disc_url_screen.xml.

Note: manually configured whitelist entries with trailing slashes (e.g. https://example.com/) will no longer match compared to the original logic.