security: always-on attribute + URL hardening; cap inline nesting

[dereuromark]

Ports the confirmed default-output security hardening from the downstream carve-php fork.

Problem

All dangerous-content sanitization is gated on safe mode (if ($this->safeMode !== null) in HtmlRenderer), and safe mode is off by default. So a plain new DjotConverter() / new HtmlRenderer() emits, unfiltered:

• javascript: / vbscript: / data: URLs in link href and image src
• event-handler attributes (onclick, ...) and the injection sinks srcdoc / formaction
• CSS expression() in style

Separately, deeply nested inline constructs (a bomb of nested links / emphasis) rescan balanced brackets at each recursion level - roughly O(n^2). A few thousand levels of nesting took ~10s of CPU, a parse-time DoS.

Change

• HtmlRenderer - always-on baseline, independent of safe mode. Strip on* / srcdoc / formaction attribute names; blank a value carrying a dangerous URL scheme or a script-bearing CSS construct (expression() / url() / @import / behavior / -moz-binding). href / src run the dangerous-scheme denylist before the safe-mode allowlist. Scheme detection strips C0 controls + spaces first, so java\tscript: cannot evade. Safe mode still layers its stricter filtering (raw-HTML policy, style, allowlists) on top - this only changes the default (no-safe-mode) output, which previously did nothing.
• InlineParser - cap inline recursion depth (100, far deeper than any real document). Beyond the cap the remaining text is emitted literally instead of recursing, bounding the O(n^2) blowup.
• New AlwaysOnHardeningTest; two SafeModeTest cases that asserted dangerous URLs pass through with safe mode off were updated to the new baseline (the off-by-default distinction is now shown via raw-HTML passthrough).

Compatibility

This shifts the default rendering output: dangerous schemes / handlers that previously passed through are now neutralized even without safe mode. There is no legitimate reason to emit javascript: or onclick from untrusted markup, so the baseline is unconditional; callers who genuinely need a permissive renderer still control the rest via safe-mode configuration.

Scope notes

Confirmed-not-applicable and excluded: djot-php already drops a colliding {href=...} attribute-block override on links/images (no change needed). The HTML importer (HtmlToDjot) carrying javascript: through on import is a separate surface, left for a follow-up.

[codecov]

Codecov Report

❌ Patch coverage is 87.93103% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.32%. Comparing base (78f8aec) to head (445ec64).

Files with missing lines	Patch %	Lines
src/Renderer/HtmlRenderer.php	86.00%	7 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master     #253      +/-   ##
============================================
- Coverage     92.34%   92.32%   -0.02%     
- Complexity     3593     3617      +24     
============================================
  Files           107      107              
  Lines         10165    10221      +56     
============================================
+ Hits           9387     9437      +50     
- Misses          778      784       +6     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.