Branch: refs/heads/master Home: https://github.com/openSUSE/open-build-service Commit: 1bd0066341f93fd02bbf531f92b20ffd6cf97695 https://github.com/openSUSE/open-build-service/commit/1bd0066341f93fd02bbf53... Author: Henne Vogelsang <hvogel@opensuse.org> Date: 2021-07-02 (Fri, 02 Jul 2021) Changed paths: M src/api/app/views/layouts/webui/_flash.html.haml M src/api/app/views/webui/patchinfo/show.html.haml M src/api/app/views/webui/request/_review_tab.html.haml M src/api/app/views/webui/shared/_collapsible_text.html.haml Log Message: ----------- Sanitize simple_format simple_format marks output as html safe. All of this data includes user input. Through XML parsing we even store HTML in the database. ``` Xmlhash.parse('<project name="hans"><description><h2>Hello World</h2></description></project>') => {"name"=>"hans", "description"=>"<h2>Hello World</h2>"} ``` So better sanitize the simple_format output. Commit: 4358d8a34ac97359ef04cfefae8a0af3ee2dc83e https://github.com/openSUSE/open-build-service/commit/4358d8a34ac97359ef04cf... Author: Victor Pereira <vpereira@suse.de> Date: 2021-07-05 (Mon, 05 Jul 2021) Changed paths: M src/api/app/views/layouts/webui/_flash.html.haml M src/api/app/views/webui/patchinfo/show.html.haml M src/api/app/views/webui/request/_review_tab.html.haml M src/api/app/views/webui/shared/_collapsible_text.html.haml Log Message: ----------- Merge pull request #11320 from hennevogel/refactoring/html-in-elements Sanitize simple_format Compare: https://github.com/openSUSE/open-build-service/compare/482ab4cbbce1...4358d8...