Bug 1250114 - XSS possible in extensions calling global/tabs.html.tmpl if tab.link is user-controlled
