fix: incomplete URL scheme check

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: nperez0111

packages/react/src/util/sanitizeUrl.ts

@@ -9,7 +9,11 @@ export function sanitizeUrl(inputUrl: string, baseUrl: string): string {
     const url = new URL(inputUrl, baseUrl);
 
     // eslint-disable-next-line no-script-url -- false positive, we are explicitly checking if the protocol is safe to prevent XSS
-    if (url.protocol !== "javascript:") {
+    if (
+      url.protocol !== "javascript:" &&
+      url.protocol !== "data:" &&
+      url.protocol !== "vbscript:"
+    ) {
       return url.href;
     }
   } catch (error) {