HTML escaping in MR summaries
Description of the problem
GitLab does not properly escape angle brackets (
<) when displaying merge requests.
The brackets are correctly escaped in commit messages, but not in merge requests (either when using a commit message as a summary or typing angle brackets directly into the text box). Instead, the entire text in angle brackets is removed from the text entirely.
Which Group/Project (with full path) is experiencing the issue?
I made a project to demonstrate, but I first noticed this on a private CE repository, so it seems to be everything. The MR diff below displays the bug: note the angle brackets in the commit message, but not the MR description, which was generated automatically from the commit message.
MR 2 in that same project (mmcclimon/gitlab-bug!2) has no angle brackets in the commit message, but I included them directly in the text box when I filed the MR.