Elm HTML's non-optimized XSS warning bypassed by elm-css

### Expected

This behaves the same when using `elm/html` and `elm-css`:

```elm
a [href "javascript:close();"] [text "hi"]
```

### Actual

#### Non-optimized build

* [Using elm/html](https://ellie-app.com/gPwwxcMZkzsa1)
  * You get an alert saying "This is an XSS vector. Please use ports or web components instead."
* [Using elm-css](https://ellie-app.com/gPwtZ6jSZXha1)
  * You get a link with `javascript:close();` in the `href`

#### Optimized build

The optimized build is consistent with `elm/html`. Both produce an empty `href`.

### Why bother fixing

`elm/html`'s `alert` cues the user that they're doing something they shouldn't be doing

With `elm-css`, you'll only find out you messed up once you deploy

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Elm HTML's non-optimized XSS warning bypassed by elm-css #568

Expected

Actual

Non-optimized build

Optimized build

Why bother fixing

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Elm HTML's non-optimized XSS warning bypassed by elm-css #568

Description

Expected

Actual

Non-optimized build

Optimized build

Why bother fixing

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions