FIX: Apply 'allowed_href_schemes' to all src/srcset attributes (#16860)

Previously we were only applying the restriction to `a[href]` and `img[src]`. This commit ensures we apply the same logic to all allowlisted media src attributes.

spec/lib/pretty_text_spec.rb

@@ -1371,6 +1371,37 @@ describe PrettyText do
     expect(cooked).to eq(n expected)
   end
 
+  it "applies scheme restrictions to img[src] attributes" do
+    SiteSetting.allowed_href_schemes = "steam"
+    cooked = cook "![Steam URL Image](steam://store/452530) ![Other scheme image](itunes://store/452530)"
+    expected = '<p><img src="steam://store/452530" alt="Steam URL Image"> <img src="" alt="Other scheme image"></p>'
+    expect(cooked).to eq(n expected)
+  end
+
+  it "applies scheme restrictions to track[src] and source[src]" do
+    SiteSetting.allowed_href_schemes = "steam"
+    cooked = cook <<~MD
+      <video>
+        <source src="steam://store/452530"><source src="itunes://store/452530"><track src="steam://store/452530"><track src="itunes://store/452530">
+      </video>
+    MD
+    expect(cooked).to include <<~HTML
+      <source src="steam://store/452530"><source src=""><track src="steam://store/452530"><track src="">
+    HTML
+  end
+
+  it "applies scheme restrictions to source[srcset]" do
+    SiteSetting.allowed_href_schemes = "steam"
+    cooked = cook <<~MD
+      <video>
+        <source srcset="steam://store/452530 1x,itunes://store/123 2x"><source srcset="steam://store/452530"><source srcset="itunes://store/452530">
+      </video>
+    MD
+    expect(cooked).to include <<~HTML
+      <source srcset="steam://store/452530 1x,"><source srcset="steam://store/452530"><source srcset="">
+    HTML
+  end
+
   it 'allows only tel URL scheme to start with a plus character' do
     SiteSetting.allowed_href_schemes = "tel|steam"
     cooked = cook("[Tel URL Scheme](tel://+452530579785)")