unexpected url handling

[ThatFave]

goldmark has https://github.com/yuin/goldmark/discussions in github. You should post only issues here. Feature requests and questions should be posted at discussions.

• [x] goldmark is fully compliant with the CommonMark. Before submitting issue, you must read CommonMark spec and confirm your output is different from CommonMark online demo.
  • [x] Extensions(Autolink without < >, Table, etc) are not part of CommonMark spec. You should confirm your output is different from other official renderers correspond with an extension.
• [x] goldmark is not dedicated for Hugo. If you are Hugo user and your issue was raised by your experience in Hugo, you should consider create issue at Hugo repository at first .

Please answer the following before submitting your issue:

1. What version of goldmark are you using? : v1.5.4
2. What version of Go are you using? : go version go1.20.5 linux/amd64
3. What operating system and processor architecture are you using? : linux, amd64

4. What did you do? : used this funtion to open a markdown file:

   func openMD(filePath string) (string, *PostMeta, error) {
   content, err := os.ReadFile(filePath)
   if err != nil {
       return "", nil, err
   }
   
   md := goldmark.New(
       goldmark.WithExtensions(extension.GFM),
       goldmark.WithParserOptions(parser.WithAutoHeadingID()),
       goldmark.WithRendererOptions(),
   )
   
   var htmlOutput strings.Builder
   if err := md.Convert(content, &htmlOutput); err != nil {
       return "", nil, err
   }
   
   meta := &PostMeta{}
   meta.Title = "title not set"
   
   metaData, err := extractCustomMetadata(string(content))
   if err != nil {
       return "", nil, err
   }
   
   if err := parseCustomMetadata(metaData, meta); err != nil {
       return "", nil, err
   }
   
   meta.FirstParagraph = extractFirstParagraph(htmlOutput.String())
   
   return htmlOutput.String(), meta, nil
   }

   
   ---
   title: test
   date: 2023-07-06 09-28-19 +0
   categories: [DEV]
   tags: [dev, server, ci, docker]
   ---

Basic CaseInsensitive

5. What did you expect to see? : it being handled like `[Basic](javascript:alert('Basic'))` to not allow an alert
6. What did you see instead? : this html:
```html
[...]
<a href="">Basic</a>
<a href="JaVaScRiPt:alert('CaseInsensitive')">CaseInsensitive</a>

7. Did you confirm your output is different from CommonMark online demo or other official renderer correspond with an extension?: the demo give this html:

   [...]
   <p><a href="javascript:alert('Basic')">Basic</a>
   <a href="JaVaScRiPt:alert('CaseInsensitive')">CaseInsensitive</a></p>

I think goldmarks way of handling basic to be good, but it is not consistent. may be unintentional. full code: https://git.fave.lu/fave/blog