In short, when a link isn’t prefixed wit http:// or https://, then it opens by appending whatever link text (be it attribute or raw) to the application root url.
An easy workaround can be to append or validate on http prefixes, but the link should just be able to attempt to open whatever text it’s assigned.
For example, bit.ly’s or similar minified links wouldn’t work.