. normal link .
Should not allow some protocols in links and images . xss link
xss link .
. xss link
xss link .
. xss link .
. xss link .
Should not allow data-uri except some whitelisted mimes . 
.
. xss link .
. normal link .
Image parser use the same code base as link. . 
.
Autolinks . <javascript:alert(1)>
Linkifier . javascript:alert(1)
javascript:alert(1) .
References . [test]: javascript:alert(1) .
Make sure we decode entities before split: .
test1
test2
.
.