Allow data & mxc URLs in img tags in HTML

[ara4n]

PR matrix-org/matrix-react-sdk#333 whitelisted data URIs for img tags in the HTML sanitizer. Unfortunately this introduced a vuln where you could do <img src=//evil.com/tracker.gif/> given null URL schemes are apparently implicitly in the allowedSchemes list, and got backed out in matrix-org/matrix-react-sdk@8ae210c. Would be good to get it back again, especially so we can embed mxc URLs nicely in messages for stickers, custom emoji, captioned images, etc.

[lukebarnard1]

I've pushed apostrophecms/sanitize-html#137 but not sure if it'll get through - activity on that project seems minimal.

We could roll our own version of naughtyHref which would not be that painful. That would mean removing all the hrefs that don't validate.

[lukebarnard1]

FTR apostrophecms/sanitize-html#137 got merged (and published to npm), so we should be able to whitelist data: and mxc: if we want 😁

[ara4n]

done in matrix-org/matrix-react-sdk#712