Usage `html_safe` in lib/gitlab/blame.rb
Review if it's safe to remove (or replace) html_safe in this code.
The following discussion from !163013 (merged) should be addressed:
-
@project_34814626_bot_1e1723927beec4a5914b72f293b1a07b started a discussion:
This AppSec automation is currently under testing. Use appsec-sasthelpful or appsec-sastunhelpful for quick feedback. For any detailed feedback, add a comment here.html_safeusage is risky and frequently leads to XSS (see examples). Please refactor to avoidhtml_safeif at all possible and otherwise review carefully to make sure that no unsanitized data can reach this method or variable. Keep in mind that even if there is no user input flowing to thishtml_safecall today, this could change in the future so its better to sanitize everything.