The engineer added a new rule to the code that detects the usage of `html_safe` in Ruby code. This is because using `html_safe` can be risky and lead to cross-site scripting (XSS) vulnerabilities. The engineer also made some formatting changes to the existing rule. Overall, these changes aim to improve the security of the code and recommend an AppSec review when disabling security rules.
This is still pretty noisy and currently finds more than 200
html_safe usage in the code base with all (I hope?
I think adding all of this to the vulnerability report would be noisy so I'd need to change the CI config on the other side as well. TODO! (EDIT: gitlab-org/gitlab!125754 (merged))
Related to #16