XSS in url_for(params)

See https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18241 / http://guides.rubyonrails.org/security.html#redirection-and-files / https://github.com/rails/rails/pull/20797 / others

Example on GitLab.com: https://gitlab.com/gitlab-org/gitlab-ce/issues?protocol=javascript&host=foo&author_username=%0aalert(%27hi%27)//

Click the feed icon at the top, and you'll get an alert box 😞

We need to:

1. Audit all current uses of url_for where we modify params.
2. Replace those with a safe_params variant.
3. Either add a RuboCop rule for url_for without the argument being safe_params, or create a follow-up issue.

Because of https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18241, the patch will be slightly different for 10.7 and below to 10.8 and above.