remote code execution
Attacker sends:
\<a href="`touch${IFS}/tmp/ohai`@lol.com">link name\</a>
If the Gajim user clicks the link, they'll execute that command as the user running gajim.
This bug is not mine - it was reported to me an irc channel while I was discussing auditing Gajim by ' userr' - they deserve the credit but were too lazy to report the bug; they requested that I do it and so I am merely a messenger.