dssrf: every IPv6 category bypasses is_url_safe
A vulnerability in dssrf allows an attacker to bypass its SSRF protections by supplying one of the following IPv6 addresses, resulting in a successful SSRF. This contradicts dssrf documentation, which incorrectly claims that IPv6 is disabled entirely. See below: Input Category http://[::1]/ IPv6 loopback http://[fc00::1]/ IPv6 ULA http://[fe80::1]/ IPv6 link-local http://[::ffff:127.0.0.1]/ IPv4-mapped loopback http://[::ffff:169.254.169.254]/ IPv4-mapped IMDS http://[::ffff:100.64.0.1]/ IPv4-mapped CGNAT http://[64:ff9b::7f00:1]/ NAT64 well-known prefix http://[64:ff9b:1::1]/ NAT64 local-use (RFC 8215) http://[5f00::1]/ SRv6 …