Sanitize HTML consistently with the backend Markdown service

The problem

We should remove dangerous and unknown tags from the client-side Markdown renderer output. We should also remove dangerous URLs from attributes like href and src.

Proposed solution

The default behavior of the client-side Markdown renderer is ignoring HTML tags that aren’t explicitly supported. As a consequence, we get tag sanitization as a side-effect. However, we still need to implement URL sanitization in dangerous attributes.