Not sure if this is a bug or intentional, but it is fairly counterintuitive, given that parse() sanitizes scripts in general.
Steps to reproduce:
- create a message with [javascript:alert(document.cookie) xss]
- turn it into a jQuery object with mw.message().parse()
Expected result: the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty etc)
Actual result: the object contains an <a href ="javascript... which executes when clicked.
Noticed by @m4tx.