Quick check whether http: and javascript: links from non-HTML documents lead out of the application. For "javascript:", it works if you install an application which registers javascript: URLs as its own (yes, you can do this...) - currently Maxthon Browser seems to be an example of such application.
This is a variant of the NXDOMAIN spoofing attempt using IDN look-alike characters.