Potentially malicious links in Markdown previews are clickable

[btrask]

In our preview generator for CommonMark Markdown files, we allow clickable links, including hash: links. That means we don't use cmark's "safe" link checker that prohibits javascript: links, among other protocols.

We should probably maintain our own whitelist.

• http
• hash
• data?
• ftp
• NOT file
• mailto

Let's look at cmark to see what else.