By replacing the ; of : with a command, like this; or document; the sanitization does not recognise : as a colon as it does not have the trailing ;
However, modern browsers recognise : as almost a colon, so tries to help out by showing it as a colon. This provides us with the exploit we need to create a link that can execute JavaScript when clicked. If you haven't run the command below, go ahead and try it:
[Bad Link](javascript:this;alert(1))
This should work and when you click your Bad Link todo entry you should see your alert.