This Sanitizer::EVIL_URI_PATTERN is completely inadequate for actual security as...

This Sanitizer::EVIL_URI_PATTERN is completely inadequate for actual security as there are numerious ways to bypass blacklisting.
Since it's only used right now for paranoia in cases you currently can't actually exploit a browser we let it slide.
However this thing needs a big fat warning message next to it to avoid someone thinking this is actually a good idea for security and ending up later on using it and opening up an XSS hole in core.