This is a security release. See the documentation for more information on the [upgrade procedure](https://forgejo.org/docs/v8.0/admin/upgrade/).

- Security bug fixes
  A [change introduced in Forgejo v1.21](https://codeberg.org/forgejo/forgejo/pulls/1433) allows a Forgejo user with write permission on a repository description to [inject a client-side script into the web page viewed by the visitor](https://en.wikipedia.org/wiki/Cross-site_scripting). This XSS allows for `href` in anchor elements to be set to a `javascript:` URI in the repository description, which will execute the specified script upon clicking (and not upon loading). [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description policy, which ensures that URIs in anchor elements are `mailto:`, `http://` or `https://` and thereby disallowing the `javascript:` URI.

<!--start release-notes-assistant-->

<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4835) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4848)): <!--number 4848 --><!--line 0 --><!--description RG8gbm90IGluY2x1ZGUgdHJhaWxpbmcgRU9MIGNoYXJhY3RlciB3aGVuIGNvdW50aW5nIGxpbmVz-->Do not include trailing EOL character when counting lines<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4836) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4847)): <!--number 4847 --><!--line 0 --><!--description QWRkIGJhY2tncm91bmQgdG8gcmVhY3Rpb25zIG9uIGhvdmVy-->Add background to reactions on hover<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4806) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4807)): <!--number 4807 --><!--line 0 --><!--description UHJldmVudCB1cHBlcmNhc2UgaW4gaGVhZGVyIG9mIGRhc2hib2FyZCBjb250ZXh0IHNlbGVjdG9y-->Prevent uppercase in header of dashboard context selector<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4754) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4756)): <!--number 4756 --><!--line 0 --><!--description Rml4IHBhZ2UgbGF5b3V0IGluIGFkbWluIHNldHRpbmdz-->Fix page layout in admin settings<!--description-->
- Bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4896) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4901)): <!--number 4901 --><!--line 0 --><!--description ZGlzYWxsb3cgamF2YXNjcmlwdDogVVJJIGluIHRoZSByZXBvc2l0b3J5IGRlc2NyaXB0aW9u-->disallow javascript: URI in the repository description<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4852) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4865)): <!--number 4865 --><!--line 0 --><!--description RW5zdXJlIGFsbCBmaWx0ZXJzIGFyZSBwZXJzaXN0ZW50IGluIGlzc3VlIGZpbHRlcnM=-->Ensure all filters are persistent in issue filters<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4828) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4840)): <!--number 4840 --><!--line 0 --><!--description QWxsb3cgNCBjaGFyYWNodGVyIFNIQSBpbiBgL3NyYy9jb21taXRg-->Allow 4 charachter SHA in `/src/commit`<!--description-->
- Localization
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4668) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4881)): <!--number 4881 --><!--line 0 --><!--description aTE4bjogYmFja3BvcnQgb2YgIzQ2NjggYW5kICM0NzgzIHRvIHY4-->i18n: backport of #4668 and #4783 to v8<!--description-->
<!--end release-notes-assistant-->