Critic review: https://critic.hoppipolla.co.uk/r/1422

This is an external review system which you may optionally use for the code review of your pull request.

In order to help critic track your changes, please do not make in-place history rewrites (e.g. via git rebase -i or git commit --amend) when updating this pull request.

Please, merge this change!

Yes, please merge this change.

In case anyone is curious about the status, this is mostly blocked on me wanting to check that nothing does anything crazy with anything like <img src="tel:xxx">. Evidence either way appreciated.

Just to be sure, as per http://www.w3.org/TR/html5/embedded-content-0.html#attr-img-src :

The src attribute must be present, and must contain a valid non-empty URL potentially surrounded by spaces referencing a non-interactive, optionally animated, image resource that is neither paged nor scripted.

So, I guess "tel" is NOT valid for image. As well as "mailto", by the way.

It isn't valid, that's for sure. But the sanitizer doesn't currently try and maintain validity (because that's a lot more work), it's merely concerned with possible security consequences.

This PR needs to be updated because the sanitizer has changed.

@agafonovdmitry, @dieselmachine: Can either of you update this PR?

I'm going to close this out. It needs to be updated. Further, it's still not clear whether tel: is safe in all contexts. That needs to be researched. That's better done in the issue rather than in this PR.

@gsnedders reopened #138. Given that, I'll reopen this and merge it.

@igloox Do you have time to update this PR in the next week? If not, I can do it.

This is out of date and the original author hasn't responded. We've got an issue for supporting it already. Given that, I'm going to close it out. If someone wants this change, they can write up a PR with the change and a corresponding test.