Support override of ALLOWED_URI_SCHEMES with html4.allowedUriSchemes

[jeffreyhardy]

This indirectly addresses Issue 1558.

That issue is about data: and javascript: not being allowed protocols for URIs. This change allows the HTML sanitizer to be configured to allow any URI protocol by using a new html4 attribute, allowedUriSchemes. This custom attribute, if defined, will be used instead of the hardcoded RegEx ALLOWED_URI_SCHEMES.

For instance, to allow both data: and javascript: URIs:

html4.allowedUriSchemes = /^(?:https?|geo|mailto|sms|tel|data|javascript)$/i;
var newHTML = html_sanitize(oldHTML);

[kpreid]

Configuration by modifying global state strikes me as a bad idea, since it would interfere between any two users of the library.

To pursue this I would suggest, instead, starting with a refactoring which preserving the existing entry point functions (sanitize, sanitizeWithPolicy, etc.) but also adds a way to create a "sanitizer object". This factory function would take the tagPolicy as a parameter and have provision for further options being added later, the first one then being this URI scheme test.