The comrak we were matching unsafe URL prefixes, such as data: or javascript: , in a case-sensitive manner. This meant prefixes like Data: were untouched.
data:
javascript:
Data:
{ "license": "CC0-1.0" }
{ "affected_functions": null, "affects": { "os": [], "functions": [], "arch": [] } }
{ "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "informational": null, "categories": [ "format-injection" ] }