This is a backport for 11.3 stable branch.

Gitlab::UrlBlocker ignores scheme when validating URI matching either
config.gitlab or config.gitlab_shell

This patch enforces matching config.gitlab.protocol for internal web and
ssh for internal shell.

A cleanup migration for stored XSS from environments table is included.