An issue exists in the comrak crate prior to 0.10.1 for Rust. It mishandles & characters, leading to XSS via &# HTML entities.
comrak project comrak