Weblate: [demo.weblate.org] Stored Self-XSS via Editor Link in Profile

Hi, Input validation and/or sanitisation is not currently applied to the "Editor Link" in the user's Preferences. Consequently, it is possible to store a JavaScript payload which is stored and executes in the Weblate instance context. F178717 Steps to reproduce 1. Visit the above Preferences page...

Phabricator: Persistent XSS: Editor link

The editor link used for external applications allows scheme other than http: or https:. Although the phutiltag function checks whether the scheme is javascript: to prevent XSS attacks see GitHub, it is straightforward to bypass this check by adding a whitespace character in between javascript an...