XSS in `comrak`

comrak operates by default in a “safe”
mode of operation where unsafe content, such as arbitrary raw HTML or URLs with
non-standard schemes, are not permitted in the output. This is per the
reference GFM implementation, cmark-gfm.

Ampersands were not being correctly escaped in link targets, making it possible
to fashion unsafe URLs using schemes like data: or javascript: by entering
them as HTML entities, e.g. &#x64&#x61&#x74&#x61&#x3a. The intended
behaviour, demonstrated upstream, is that these should be escaped and therefore
harmless, but this behaviour was broken in comrak.