Sanitise input URI; specifically, discard e-mail addresses

[tripu]

Some scammers are tricking non-tech-savvy users into “validating” their e-mail addresses on validator.w3.org/. Apparently, the validator takes the domain portion of the address and tries to validate that. If the corresponding page isn't valid (which is the most likely outcome), scammers use that to convince victims that it is their e-mail address that is wrong, somehow.

I suggest being more strict about valid URIs.

Thanks to @john_holley for reporting: https://twitter.com/john_holley/status/900217901705310208 https://twitter.com/john_holley/status/900220845909565440 https://twitter.com/john_holley/status/900271480323190784 https://twitter.com/john_holley/status/900271661479378944 https://twitter.com/john_holley/status/900271858355912704

Thanks to @LeeKowalkowski for pointing out that the conversion appears to be done here: https://github.com/w3c/markup-validator/blob/master/httpd/cgi-bin/check#L1780-L1789

cf validator/validator#553

[tripu]

Update: a screenshot of a[n even simpler] scam:

www-validator public ML: “suspected scam”