These links should be unsafe and not allowed in safe_mode [link](javascript:alert%28'Hello%20world!'%29) [link](vbscript:msgbox%28%22Hello%20world!%22%29) [link](livescript:alert%28'Hello%20world!'%29) [link](mocha:[code]) [link](jAvAsCrIpT:alert%28'Hello%20world!'%29) [link](ja vas cr ipt:alert%28'Hello%20world!'%29) [link](ja vas cr ipt:alert%28'Hello%20world!'%29) [link](ja vas cr ipt:alert%28'Hello%20world!'%29) [link](ja%09 %0Avas cr
ipt:alert%28'Hello%20world!'%29) [link](ja%20vas%20cr%20ipt:alert%28'Hello%20world!'%29) [link](live%20script:alert%28'Hello%20world!'%29) ![img](javascript:alert%29'XSS'%29) [ref][] ![imgref][] [ref]: javascript:alert%29'XSS'%29 [imgref]: javascript:alert%29'XSS'%29 These should work regardless: [relative](relative/url.html) [email](mailto:foo@bar.com) [news scheme](news:some.news.group.com) [http link](http://example.com)