Persistent XSS vulnerabilities were introduced while introducing changes in ZBX-12825.
This affects multiple pages, for example problem view:

1. Create trigger with the following URL: "javascript:alert('xss'); //{$THIS.SHOULD.LOOK.LIKE.USERMACRO}"
2. Cause trigger to go to the problem state.
3. Go to problems page and click on URL in trigger popup menu:
   

A bit harder it is to perform the same trick in Network maps as user macros are not enabled for network map URL. But still, it is possible through inventory macros:

1. Create map with host element. Add URL with inventory URL macro ( {INVENTORY.URL.A}

   ).

2. Set host inventory to manual and set inventory url A to "javascript:alert('xss'); //{$THIS.SHOULD.LOOK.LIKE.USERMACRO}"
3. Save map
4. Go to problems page and click on URL in map element popup menu:
   

Overall problem is caused by invalid validation termination when some of the conditions are met while others are not.

This is the first commit that broke the validation.
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/7c3dbcab386f60b4c8c5244850ec11c853c50a08#frontends/php/include/classes/validators/CHtmlUrlValidator.php