Comment by pabs3

I note that the code that pull request 12283 is changing builds HTML via string concatenation/templates, which is a widespread source of XSS problems. Maybe it is time to for browsers and JavaScript runtimes/libraries to deprecate string based HTML building and require DOM based instead. The former is unsafe by design and the latter is a safe-by-construction approach.

Getting HTML building right is a pretty basic building block of web apps, Forgejo can't have great security practices if they aren't doing that. So I can easily imagine the OP is correct in their assessment of Forgejo code security.