WIP: Change all uses of the :plain filter to :escaped
What does this MR do?
With MR !20315 (merged), the behaviour of the :plain
filter in hamlit changed to match haml's behaviour. Significantly, this meant it would no longer escape the string being inserted. The one case where this was a known issue was discovered due to a unit test, but out of caution all other uses of the filter is being changed to :escaped
, to ensure no other XSS vulnerabilities are being inserted.
Note: this is all the location I found grep'ing the source code, but I haven't run the tests (I let the runner do that instead) nor manually checked for any obvious breakage. If the tests pass, and the changes look good please remove the WIP tag and merge. There are no further :plain
filters I am aware of.
cc: @godfat
Why was this MR needed?
Without this MR, there is a potential XSS vulnerability added with the upgrade to the latest hamlit release. Note this applies regardless of ruby version.
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Tests added for this feature/bug - Conforms to the code review guidelines
-
Has been reviewed by a Frontend maintainer -
Has been reviewed by a Backend maintainer
-
-
Conforms to the merge request performance guidelines -
If you have multiple commits, please combine them into a few logically organized commits by squashing them -
End-to-end tests pass ( package-and-qa
manual pipeline job)
What are the relevant issue numbers?
N/A