The :// is needed because it seperates the pseudo-uri-schema from the rest-of-the-uri. (Real URIs use : for schemas that do not take a hostname next, but this isn't a real uri, and doesn't use quite the same syntax.)
And as to the second point, we do bracket-link expansion before HTML verification, IIRC, and thus it doesn't make that sort of "attack" much easier. As always, look before you
leap click. (And don't use a browser that lets people lie about where links point, like some unpatched IEs.)
The HTML filtering code could, at some point, be enhanced to check for this sort of attack, but I'm not sure I understand that code sufficently to do that -- that would be more of a tyeish project.
Warning: Unless otherwise stated, code is untested. Do not use without understanding. Code is posted in the hopes it is useful, but without warranty. All copyrights are relinquished into the public domain unless otherwise stated. I am not an angel. I am capable of error, and err on a fairly regular basis. If I made a mistake, please let me know (such as by replying to this node).