If an attacker has control over the page to edit arbitrary HTML, that chain is already compromised. Even if the attacker's exploit only allowed certain attributes, just the href and rel attributes needed for this protocol would already be enough to execute javascript and load stylesheets on that page.

This is in addition to the original site linking to the new one with a news post. Does that also mean nothing because an attacker could add a news post to the page?