Not sure if this is a bug or intentional, but it is fairly counterintuitive, given that parse() sanitizes scripts in general.
Steps to reproduce:
- turn it into a jQuery object with mw.message().parse()
Expected result: the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty etc)
Noticed by @m4tx.