Allow users to post url schemes other than http/https?

Question

I have a blog comment section where users write their website and a comment about it and it is shown like this:

<a href="https://example.com">Website</a>
<br>
<span>my website is about...</span>
<br><br>
<a href="https://example2.com">Website2</a>
<br>
<span>my website2 is about...</span>

and I allow only http/https URL schemes.

Some of my users told me they want to write a website or a connection using url schemes like ftp:// - mailto: - file: - info::

<a href="ftp://example.com">Website</a>
<br>
<span>my website is about transfering to you</span>
<br><br>
<a href="file:example2.com/file.xml">Website2</a>
<br>
<span>my website2 is about sharing a file link to download</span>
<br><br>
<a href="mailto:name@example3.com">Website2</a>
<br>
<span>my website3 is to send me email for medical conditions</span>

Is it safe for the viewer to allow this or does it endanger their privacy or security unexpectedly?

Answer 1

This is a bad idea. Bear in mind that the vast majority of sites that offer this kind of functionality (such as Wordpress comments) get completely overrun with malware links pretty much immediately. If HTTP wasn't bad enough already, allowing other schemes expands the options available for attackers to use, either for direct attacks on visitors to your site, or in using you as a proxy vector. If they really have a site that needs non-HTTP schemes, they should link to their own site and use whatever links they want from there, not pass the responsibility on to you.