Review if it's safe to remove (or replace) `html_safe` in this code. The following discussion from !163013 should be addressed: - [ ] @project_34814626_bot_1e1723927beec4a5914b72f293b1a07b started a [discussion](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/163013#note_2051112551): > `html_safe` usage is risky and frequently leads to XSS (see [examples](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/sast-custom-rules/-/blob/main/appsec-pings/html_safe.yml?ref_type=heads#L33)). Please refactor to avoid `html_safe` if at all possible and otherwise review carefully to make sure that no unsanitized data can reach this method or variable. Keep in mind that even if there is no user input flowing to this `html_safe` call today, this could change in the future so its better to sanitize everything. > > <small> > This AppSec automation is currently under testing. > Use ~"appsec-sast::helpful" or ~"appsec-sast::unhelpful" for quick feedback. > For any detailed feedback, [add a comment here](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/sast-custom-rules/-/issues/38). > </small>