HTML escaping in MR summaries

Description of the problem

GitLab does not properly escape angle brackets (> and <) when displaying merge requests.

The brackets are correctly escaped in commit messages, but not in merge requests (either when using a commit message as a summary or typing angle brackets directly into the text box). Instead, the entire text in angle brackets is removed from the text entirely.

Which Group/Project (with full path) is experiencing the issue?

I made a project to demonstrate, but I first noticed this on a private CE repository, so it seems to be everything. The MR diff below displays the bug: note the angle brackets in the commit message, but not the MR description, which was generated automatically from the commit message.

mmcclimon/gitlab-bug!1 (71409cca)

MR 2 in that same project (mmcclimon/gitlab-bug!2) has no angle brackets in the commit message, but I included them directly in the text box when I filed the MR.

Edited Jun 19, 2025 by 🤖 GitLab Bot 🤖