Merge branch 'patch-strip-harmful-tags' into 'master'

Remove href attribute if it executes JavaScript.

Security update to prevent A tags with a `javascript:` href from actually executing the JavaScript.

See merge request !31

include/functions2.php

@@ -1064,6 +1064,10 @@
 						array_push($attrs_to_remove, $attr);
 					}
 
+					if ($attr->nodeName == 'href' && stripos($attr->value, 'javascript:') === 0) {
+						array_push($attrs_to_remove, $attr);
+					}
+
 					if (in_array($attr->nodeName, $disallowed_attributes)) {
 						array_push($attrs_to_remove, $attr);
 					}