In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.Referenceshttps://blog.gitea.com/release-of-1.20.1/https://github.com/go-gitea/gitea/releases/tag/v1.20.1https://github.com/go-gitea/gitea/pull/25960
