As such, homeservers MUST sanitise mxc:// URIs by allowing only alphanumeric (A-Za-z0-9), _ and - characters in the server-name and media-id values.
Given that server-name the vast majority of the time is a qualified domain with a TLD, the .tld would make it invalid. Ports, IPv4 and IPv6 addresses would also be invalid. It should be updated such that the grammar only applies to the media-id segment, and server-name should refer to https://spec.matrix.org/v1.12/appendices/#server-name for valid grammar.
Link to problem area:
https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5
Issue
It states
Given that server-name the vast majority of the time is a qualified domain with a TLD, the
.tldwould make it invalid. Ports, IPv4 and IPv6 addresses would also be invalid. It should be updated such that the grammar only applies to themedia-idsegment, and server-name should refer to https://spec.matrix.org/v1.12/appendices/#server-name for valid grammar.