Cat 01/04/2018 (Thu) 19:34:45 Id: d5593f No. 507
Will sanitize that on 2.0, but won't change on 1.9 unless I find a bug to justify 1.9.5.

While that is indeed a XSS, it can only afffect people inputting the url themselves.