Allow Data URI Schemes

[blag]

From https://en.wikipedia.org/wiki/Data_URI_scheme#Format, allow the psuedo-protocol 'data'. This allows base64-encoded image data to be embedded with, eg: tags.

[hoppipolla-critic-bot]

Critic review: https://critic.hoppipolla.co.uk/r/1404

This is an external review system which you may optionally use for the code review of your pull request.

In order to help critic track your changes, please do not make in-place history rewrites (e.g. via git rebase -i or git commit --amend) when updating this pull request.

[gsnedders]

Allowing data URIs in general is unsafe. Consider, e.g., <iframe src="data:text/html,<script>alert(parent.cookies)%3B<%2Fscript>">. As such, this cannot be merged as is; data URIs would need to be handled separately with a whitelist of MIME types that do not allow scripting.

[gsnedders]

Closing for now; probably best to create an entirely new PR for anything that provides a data URI sanitization scheme, as that's probably a fair bit of work on its own.

[gsnedders]

Oh, wait, iframes are blocked anyway. Duh. I think you can still do this with <img> and SVG, though?