Allow links and images on legislation drafts

Note we're using a new sanitizer. Ideally we'd reuse the
`AdminWYSIWYGSanitizer`, but then code that would be correctly shown by
markdown-it (like the <h1> tag) wouldn't be shown on the web, which is
confusing. Ideally we would configure markdown-it to only allow the tags
present in the `AdminWYSIWYGSanitizer` and provide some kind of help
showing which tags are allowed.

spec/system/xss_spec.rb

@@ -164,12 +164,15 @@ describe "Cross-Site Scripting protection", :js do
     expect(page.text).not_to be_empty
   end
 
-  scenario "legislation version body filters script tags but not header IDs" do
-    version = create(:legislation_draft_version, :published, body: "# Title 1\n#{attack_code}")
+  scenario "legislation version body filters script tags but not header IDs nor tags like images" do
+    markdown = "# Title 1\n<a href='https://domain.com/url'>link</a><img src='/image.png'>"
+    version = create(:legislation_draft_version, :published, body: "#{markdown}#{attack_code}")
 
     visit legislation_process_draft_version_path(version.process, version)
 
     expect(page.text).not_to be_empty
     expect(page).to have_css "h1#title-1", text: "Title 1"
+    expect(page).to have_link "link", href: "https://domain.com/url"
+    expect(page).to have_css('img[src="/image.png"')
   end
 end