Hey, can you prove exfiltration of data with this? Just executing javascript inside a data: url context doesn't really have any security implications that I'm aware of – the browsers sandbox origin and cookie access for exactly this reason.

Sorry, looks like I'm ignoring that, it can't seem to access origin or cookies. But XSS has many other impact, not only in terms of security. Example: Run malicious scripts, attack users (get IP address, hack webcam...) Navigate to malicious websites, or fake websites. ...etc.

Its severity should be medium or low.

I see you use markdown-it in your repo. The markdown-it Security Policy also prohibits some kind of links could be used for XSS, including data: Security Policy

Would accept as Low, I think it should be fixed but you've not really proven any security impact from it of note.

I thought so too, and I changed Attack Complexity to High because to attack it requires harsher conditions.