i know, js was indeed stripped as i wrote
i get it, i tried inserting the 'callto:\\' links both in a text widget, both in a blog article. The result is always the same, the WP platform cut the protocol part resulting the HREF tag pointing at '\\whatever'.
But i still don't get what this has to do with WP host security, since the protocol is simply passed to MY browser wich WARN me that that link is calling an application on MY machine, not on the host where WP host my blog, and this happens only if that protocol is registerd on MY machine by the external application.
I'm just curious, maybe i'm not enough malicious (or on the other hand enoug ignorant :P) to see the possible exploits. I also noticed some forum platform (eg. http://www.simplemachines.org/) doesn't recognize the 'callto://' protocol in a link i tried to post,resulting in adding 'http://' just in front of the link.