RichText parser vulnerability in scheduled posts allows XSS

## Summary: RichText parser is not filtering links when editing scheduled posts ## Steps To Reproduce: 1. Create a new scheduled post with a link: {F2270188} 2. Intercept the request with Burp Suite/Other proxies and replace the link with javascript scheme payload: {{F2270195} 3. Navigate to scheduled posts and click Edit: {F2270203} 4. Observe the malicious link, if you click on it, the javascript will execute: {F2270204} ## Root cause and possible ways leverage When submitting a scheduled post, API doesn't validate links, it happens only on the client side and the links can be forged with interception of requests. Though, it seems it is impossible to get the XSS in live post, when submitting the malicious post, reddit turns richtext to markdown and then to html, which automatically removes invalid links. Another possible way to bring it in real post, is to use Link type and also forge the link, but when submitting it will just give an error ## Impact Attacker can trick admins to visit the scheduled editing page and click on malicious link, which results in XSS