Possible XSS in wiki author name
While reviewing !51273 (merged), I noticed that we were doing:
"<strong>#{@page.last_version.author_name}</strong>".html_safe
(The code before that MR does something similar)
Adding HTML tags to the author name which I believe comes from the Git commit could lead to an XSS vulnerability.
That is why in the examples in https://docs.gitlab.com/ee/development/i18n/externalization.html#html, we separate the HTML tags from the content so that we only call #html_safe
on the tags.