I'd say also add a test that shows the HTML injection (which spurred the PR) isn't possible. Given an attacker-controlled URL of:
foo onclick
<a class="item muted sidebar-item-link" href=foo onclick>
<a class="item muted sidebar-item-link" href="foo onclick">
Oh, for sure! That'd end the conversation: "your change breaks the existing tests. Fix that and we'll re-consider."