Persistent XSS rendering/escaping of diff location lines `@@` in Merge Request changes view
In the Merge Request
Changes view, lines showing the hunk locations starting with
@@ containing matching
> characters common in many programming languages are rendering as HTML elements that should not be rendered or getting stripped instead of using user data.
Steps to reproduce
- Create a source file with line containing
<script>with at least 3 lines following it.
- Commit a change to a line 3 lines below the element in step 1 to a new branch.
- Create an MR for the single commit branch.
What is the current bug behavior?
<script> element will be correctly displayed in the
New Merge Request form, but when viewed under
Changes in the submitted merge request, will render as a text input or be stripped from the output, respectively. Other elements may also be allowed through.
What is the expected correct behavior?
The contents of the source file should be properly sanitized and displayed.
Relevant logs and/or screenshots!
Output of checks
This bug happens on GitLab.com.
This is most likely a regression of the MR refactor.