[Security] Stored XSS. Account Takeover possilble.

• Gitea version (or commit ref): any version with external issue tracker
• Git version: not relevant
• Operating system: not relevant
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

Screenshots

[techknowlogick]

Thoughts from top of my head, we could use net/url and validate that external issue tracker is a valid URL and the protocol of URL is http/https.

May have time in several hours to look into where to add this into code.

Thanks for report 😄

[lafriks]

@cezar97 thanks for report ;)

[lafriks]

I don't think that's worth the work as chances of that are quite minimal and I would not like to automatically remove or mess up someone's setttings