[Bug][Security] Markdown does not have any URI scheme restrictions

[stypr]

Bug Description

There doesn't seem to be a URI scheme validation when the URL is already set on the link.
This makes it possible for attackers to make a malicious link that can open any kinds of URI on the client side, including any executables, deeplinks and files on the directory.
As a result, an attacker can maliciously craft a payload to harm other users by leaving a link on the page.

It may not sound exploitable at all, but if the victim's system has an application that has a vulnerability in the deeplink implementation, this issue can be leveraged to execute an arbitrary code execution.

How to Reproduce

Opening cmd.exe

1. Create a new document with the following text

[Click Me](file:///C:\Windows\System32\calc.exe)

2. Convert it to the link -- You can remove ) and readd ) to make it to a link

3. Click on a link, Open link

4. Confirm that cmd is opened

Other possible deeplinks

[deeplink1](appflowy-flutter://#access_token=1234&refresh_token=1234)
[deeplink2](AppFlowy://12341234)
[deeplink3](calculator://1)

Expected Behavior

URL needs to be validated and needs to print Incorrect Link.

Operating System

Windows 11 x86_64

AppFlowy Version(s)

0.5.4

Screenshots

No response

Additional Context

No response