Details
Description
A user's username is injected into the "rel" attribute of the user mention link without being encoded properly. This means that if the username contains a " character then new attributes can be injected into the <a> user mention link element. Hence, providing a persistent xss vector.
To reproduce this issue:
1. add or sign up as a user called: " onmouseover="alert(3)"
2. mention the user in an issue: " onmouseover="alert(3)"
3. refresh the page
4. hover over the user's mention link
5. observe an alert prompt containing the value of 3 within it.