Persistent XSS rendering/escaping of diff location lines `@@` in Merge Request changes view

This issue was originally reported to security@gitlab.com by a user, reported to HackerOne: https://hackerone.com/reports/380621

Summary

In the Merge Request Changes view, lines showing the hunk locations starting with @@ containing matching < and > characters common in many programming languages are rendering as HTML elements that should not be rendered or getting stripped instead of using user data.

Steps to reproduce

1. Create a source file with line containing <input> or <script> with at least 3 lines following it.
2. Commit a change to a line 3 lines below the element in step 1 to a new branch.
3. Create an MR for the single commit branch.

What is the current bug behavior?

The <input> or <script> element will be correctly displayed in the New Merge Request form, but when viewed under Changes in the submitted merge request, will render as a text input or be stripped from the output, respectively. Other elements may also be allowed through.

Example Project

• Stripped
• Correct in commit view
• Text input
• Correct in commit view

What is the expected correct behavior?

The contents of the source file should be properly sanitized and displayed.

Relevant logs and/or screenshots!

Correctly rendered as a "New Merge Request":

Incorrectly rendering a text input element:

Output of checks

This bug happens on GitLab.com.

Possible fixes

This is most likely a regression of the MR refactor.